Open Bug 1341689 Opened 3 years ago Updated 6 months ago

Missing Origin header when requests to the same-origin and crossorigin set

Categories

(Core :: DOM: Core & HTML, defect, P2)

54 Branch
defect

Tracking

()

UNCONFIRMED

People

(Reporter: me, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

The "Origin" header is missing when requesting resources to the same-origin, even though the "crossorigin" attribute is set.

In my testing, Firefox was the only browser to exhibit this behavior. All others send the header regardless of domain.

Switching between "anonymous" and "use-credentials", did not rectify the issue.

Example:

<!--[http://1.com/index.html]-->
<html>
    <body>
        <!--[origin header is sent]-->
        <script src="http://2.com/script" crossorigin="anonymous"></script>
    </body>
</html>

<!--[http://2.com/index.html]-->
<html>
    <body>
        <!--[origin header is not sent]-->
        <script src="http://2.com/script" crossorigin="anonymous"></script>
    </body>
</html>


Actual results:

Origin header is not sent to the server.


Expected results:

Origin header should be sent to the server.
Summary: Origin header is missing when requesting resources to the same-origin with crossorigin set → Origin header is missing when requesting resources to the same-origin then crossorigin is set
Summary: Origin header is missing when requesting resources to the same-origin then crossorigin is set → Missing Origin header when requests to the same-origin and crossorigin set
Component: Untriaged → DOM
Product: Firefox → Core
I can confirm this bug, I'm now experiencing problems with Atlassian Confluence due to lack of Origin header for the same origin.
https://bugzilla.mozilla.org/show_bug.cgi?id=446344#c77 says Francois hopes to get to it this quarter.

Ben, why'd you make this depend on bug 446344 and not make it a dupe?
Flags: needinfo?(bkelly)
Priority: -- → P2
Another bug was handled like that, but it could probably be a dupe.
Flags: needinfo?(bkelly)
OK, if precedent exists let's leave this depending upon bug 446344. Thanks :)

I suspect this is https://github.com/whatwg/fetch/issues/871 in part (there other browsers are also not sending the header though).

Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.