Closed
Bug 1031630
Opened 10 years ago
Closed 10 years ago
Origin header not sent when a form is submitted via javascript
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 446344
People
(Reporter: me, Unassigned)
References
Details
Attachments
(1 file)
844 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 (Beta/Release) Build ID: 20140619004025 Steps to reproduce: Create a html page that creates a form and sends it via javascript. An example is attached to this bug report. Actual results: The example code shown sends a POST request "https://example.com/postpage" without the Origin header. Expected results: The example code should have sent a POST request with an Origin header as defined in RFC 6454. This is noted in this comment (https://bugzilla.mozilla.org/show_bug.cgi?id=446344#c53), but has not received a response. This is a problem, because it makes Origin a broken solution for CSRF protection, as the site must make a choice to deny requests without the Origin header, and risk excluding some users, or accept the request, and thus be open to CSRF.
Reporter | ||
Updated•10 years ago
|
Comment 1•10 years ago
|
||
This doesn't smell like a necko bug to me, but I'm not sure which component to put it in.
Component: Networking: HTTP → General
Comment 2•10 years ago
|
||
This is an exact duplicate of bug 446344, no? I mean, form posts are what bug 446344 comment 0 is about.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•