Why do we need Origin?

بازگشت به درس

این محتوا تنها در این زبان‌ها موجود است: English, Español, Français, Indonesia, Italiano, 日本語, 한국어, Русский, Türkçe, Українська, Oʻzbek, 简体中文. لطفاً به ما

As you probably know, there’s HTTP-header Referer, that usually contains an url of the page which initiated a network request.

For instance, when fetching http://google.com from http://javascript.info/some/url, the headers look like this:

          Accept: */*
Accept-Charset: utf-8
Accept-Encoding: gzip,deflate,sdch
Connection: keep-alive
Host: google.com
Origin: http://javascript.info
Referer: http://javascript.info/some/url
        

As you can see, both Referer and Origin are present.

The questions:

Why Origin is needed, if Referer has even more information?
Is it possible that there’s no Referer or Origin, or is it incorrect?

We need Origin, because sometimes Referer is absent. For instance, when we fetch HTTP-page from HTTPS (access less secure from more secure), then there’s no Referer.

The Content Security Policy may forbid sending a Referer.

As we’ll see, fetch has options that prevent sending the Referer and even allow to change it (within the same site).

By specification, Referer is an optional HTTP-header.

Exactly because Referer is unreliable, Origin was invented. The browser guarantees correct Origin for cross-origin requests.