Closed Bug 1608391 Opened 6 years ago Closed 3 years ago

Origin header is not sent from file protocol for POST requests

Categories

(Core :: DOM: Security, defect, P3)

72 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1605305

People

(Reporter: jakub.g.opensource, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

  1. Save the following on disk as .html file and open in browser via file protocol.
<form method=post action=https://www.example.com>
<input type=submit>
</form>
  1. Open devtools. Click the submit button.

Actual results:

The request is sent without Origin header.

Expected results:

AFAIU the spec (https://fetch.spec.whatwg.org/#origin-header), request should have had Origin: null (this is the case when I test with Chrome).

Component: Untriaged → Security

(For context, the feature of sending Origin header was activated in Firefox 70 via bug 1424076)

Component: Security → DOM: Security
Product: Firefox → Core

This may affect more than file:// (needs investigation). I doubt we have any special-case for file: in the Origin header, more likely we get this wrong in other cases where we should send Origin: null (extension pages? data: url frames? sandboxed frames?)

Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.