1530574 - No origin header is added on cross origin POST http requests when submitted via forms

Status: RESOLVED DUPLICATE of bug 1424076

(Core :: DOM: Security, defect)

Description

[abhishek.dharani]

User Agent: Mozilla/5.0 (Linux; Android 7.0; Redmi Note 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36

Steps to reproduce:

1. host a form under one domain
2. change the action of the form to that of an absolute url or a complete url i.e action="http://xyz.com/home.php" or something like this.
   3)On submitting the form you will see that there's no origin header added as described in

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

Actual results:

On submitting the form the Post request takes place without the origin header added.

Expected results:

An origin header must be added.

I happened to notice this when ibwas attempting a login xsrf where the program checka for the origin header. Both chrome and safari add the origin header when submitting the POST html form to a cross origin. But mozilla firefox quantum 65.0.1 let me with the attack as it did not add any origin header.

Thanks

Comment 1

[:Gijs (out for now; he/him)]

Per https://stackoverflow.com/questions/42239643/when-does-firefox-set-the-origin-header-to-null-in-post-requests apparently we don't send the origin header for POST requests, and the spec requires so after https://github.com/whatwg/fetch/commit/eb89fcd54bb39e81b11c569f6ad7ba615883f7b9 .

Anne, can you comment as to whether my understanding is correct and/or why I can't find any bugs on file to fix our behavior? Are there compat concerns or something?

Comment 3

[Anne (:annevk)]

I suspect this is a duplicate of bug 446344, though note that per bug 1424076 it's not enabled by default yet and there are some issues still.