Closed Bug 1031630 Opened 10 years ago Closed 10 years ago

Origin header not sent when a form is submitted via javascript

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
32 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 446344

People

(Reporter: me, Unassigned)

References

Details

Attachments

(1 file)

originpoc.html
844 bytes, text/html
Details
Attached file originpoc.html 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 (Beta/Release)
Build ID: 20140619004025

Steps to reproduce:

Create a html page that creates a form and sends it via javascript.  An example is attached to this bug report.


Actual results:

The example code shown sends a POST request "https://example.com/postpage" without the Origin header.


Expected results:

The example code should have sent a POST request with an Origin header as defined in RFC 6454.

This is noted in this comment (https://bugzilla.mozilla.org/show_bug.cgi?id=446344#c53), but has not received a response.  This is a problem, because it makes Origin a broken solution for CSRF protection, as the site must make a choice to deny requests without the Origin header, and risk excluding some users, or accept the request, and thus be open to CSRF.
OS: Linux → All
Hardware: x86_64 → All
See Also: → 446344
This doesn't smell like a necko bug to me, but I'm not sure which component to put it in.
Component: Networking: HTTP → General
This is an exact duplicate of bug 446344, no?  I mean, form posts are what bug 446344 comment 0 is about.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: