Closed
Bug 1530569
Opened 5 years ago
Closed 5 years ago
No Origin header added in cross origin post request
Categories
(Firefox :: Untriaged, defect)
Firefox
Untriaged
Tracking
()
RESOLVED
DUPLICATE
of bug 1530574
People
(Reporter: abhishek.dharani, Unassigned)
Details
User Agent: Mozilla/5.0 (Linux; Android 7.0; Redmi Note 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36
Steps to reproduce:
Login cross site request forgery on a program would check for the origin in a html form post request. Chrome and opera were adding the origin headers, but not mozilla firefox quantum 65.0.1 when submitting a cross origin html form with post as the http method.
Actual results:
Steps to reproduce
- just host a random html form on your domain. The action of the form must have an absolute or a complete url to another domain so that it is a cross request (not exactly cors because there is no xhr).
- click submit and you will see that there is no Origin header added.
Expected results:
An origin header must be added accordingly to this:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
|
Reporter | |
Comment 1•5 years ago
|
||
Ok so reporting this via mobile wasn't worth it.
|
|
Reporter | |
Updated•5 years ago
|
Group: firefox-core-security
|
|
Reporter | |
Updated•5 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
|
||
Updated•5 years ago
|
Resolution: INVALID → DUPLICATE
|
||
Updated•6 months ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•