missing Origin header in cross-site POST request from form in local file://
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: niklas.fiekas, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Steps to reproduce:
-
Locally save an HTML file with the following content:
<form action="https://echo-headers.lichess.workers.dev/" method="POST">
<input type="submit">
</form> -
Open the file from a file:// URL in Firefox 91 or Firefox Nightly 2021-08-09.
-
Click the button to submit the form.
Actual results:
The resulting POST request does not include any Origin header, as observed using the displayed JSON response or the network tab of the developer tools.
Expected results:
An Origin header is expected for all cross-site POST requests. The request should have included an Origin header with content file:// or null.
This works properly in fetch requests from a local file:// as well as forms from http:// origins (here Origin is included as null or the real origin respectively).
It also works properly in Chrome, including forms from file:// URLs (here Origin is included as null).
|
||
Comment 1•4 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'DevTools::Netmonitor' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Updated•4 years ago
|
Description
•