[whatwg] Origin header and <form>s

Jonas Sicking jonas at sicking.cc
Wed Jul 9 18:59:54 PDT 2008

Hi All,

The Access-Control spec [1] adds an 'Origin' header that is submitted 
with all requests. I propose that we specify that <form> POSTs should do 
the same. This would be a very powerful mechanism to prevent CSRF 
attacks as it would allow CSRF prevention to happen in the server, 
rather than in the application layer.

This way servers could be configured to reject all POST requests that 
have an Origin header from a different site.

This wouldn't replace the normal CSRF protections sites need to do for 
now, but eventually enough UAs implement this that servers can just 
reject POSTs that doesn't have 'Origin' set. This would be especially 
true if we can get this feature backported into old browsers (we'll 
likely backport it to FF3).

/ Jonas

[1] http://dev.w3.org/2006/waf/access-control/

More information about the whatwg mailing list