Closed Bug 1530574 Opened 2 years ago Closed 2 years ago

No origin header is added on cross origin POST http requests when submitted via forms

Categories

(Core :: DOM: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1424076

People

(Reporter: abhishek.dharani, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Linux; Android 7.0; Redmi Note 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36

Steps to reproduce:

  1. host a form under one domain
  2. change the action of the form to that of an absolute url or a complete url i.e action="http://xyz.com/home.php" or something like this.
    3)On submitting the form you will see that there's no origin header added as described in

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

Actual results:

On submitting the form the Post request takes place without the origin header added.

Expected results:

An origin header must be added.

I happened to notice this when ibwas attempting a login xsrf where the program checka for the origin header. Both chrome and safari add the origin header when submitting the POST html form to a cross origin. But mozilla firefox quantum 65.0.1 let me with the attack as it did not add any origin header.

Thanks

Per https://stackoverflow.com/questions/42239643/when-does-firefox-set-the-origin-header-to-null-in-post-requests apparently we don't send the origin header for POST requests, and the spec requires so after https://github.com/whatwg/fetch/commit/eb89fcd54bb39e81b11c569f6ad7ba615883f7b9 .

Anne, can you comment as to whether my understanding is correct and/or why I can't find any bugs on file to fix our behavior? Are there compat concerns or something?

Group: firefox-core-security → core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Networking
Ever confirmed: true
Flags: needinfo?(annevk)
Product: Firefox → Core
Version: other → unspecified
Duplicate of this bug: 1530569

I suspect this is a duplicate of bug 446344, though note that per bug 1424076 it's not enabled by default yet and there are some issues still.

Flags: needinfo?(annevk)
Group: core-security
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1424076
Component: DOM: Networking → DOM: Security
You need to log in before you can comment on or make changes to this bug.