Why do we need Origin?
As you probably know, there’s HTTP-header
Referer, that usually contains an url of the page which initiated a network request.
For instance, when fetching
As you can see, both
Origin are present.
Originis needed, if
Refererhas even more information?
- Is it possible that there’s no
Origin, or is it incorrect?
Origin, because sometimes
Referer is absent. For instance, when we
fetch HTTP-page from HTTPS (access less secure from more secure), then there’s no
The Content Security Policy may forbid sending a
As we’ll see,
fetch has options that prevent sending the
Referer and even allow to change it (within the same site).
Referer is an optional HTTP-header.
Referer is unreliable,
Origin was invented. The browser guarantees correct
Origin for cross-origin requests.