Chrome adding Origin header to same-origin request

Question

We\'re POSTing an AJAX request to a server running locally, i.e.

xhr.open(\"POST\", \"http://localhost:9000/context/request\");
xhr.addHeader(someCustomHeade         


        

Answer 1

According to RFC 6454 - The Web Origin Concept - the presence of Origin is actually legal for any HTTP request, including same-origin requests:

http://tools.ietf.org/html/rfc6454#section-7.3

"The user agent MAY include an Origin header field in any HTTP request."