[whatwg] Origin header and <form>s

Collin Jackson w3c at collinjackson.com
Wed Jul 9 19:24:25 PDT 2008

Adam Barth, John Mitchell, and I have written an academic paper in
support of the Origin header as a CSRF defense:


On Wed, Jul 9, 2008 at 6:59 PM, Jonas Sicking <jonas at sicking.cc> wrote:
> Hi All,
> The Access-Control spec [1] adds an 'Origin' header that is submitted with
> all requests. I propose that we specify that <form> POSTs should do the
> same. This would be a very powerful mechanism to prevent CSRF attacks as it
> would allow CSRF prevention to happen in the server, rather than in the
> application layer.
> This way servers could be configured to reject all POST requests that have
> an Origin header from a different site.
> This wouldn't replace the normal CSRF protections sites need to do for now,
> but eventually enough UAs implement this that servers can just reject POSTs
> that doesn't have 'Origin' set. This would be especially true if we can get
> this feature backported into old browsers (we'll likely backport it to FF3).
> / Jonas
> [1] http://dev.w3.org/2006/waf/access-control/

More information about the whatwg mailing list