CORS and Origin header?

Question

When we need to invoke an Ajax request we do :

if(typeof XMLHttpRequest !== \'undefined\') xhr = new XMLHttpRequest();
else
{
    var versions = [\"Microsof         


        

Answer 1

The origin header is added automatically (generally) when you do a cross domain request.

To test it, I opened the console on this page and made two different requests: one for another domain and one for '/' and just the first got the origin header added.

BTW, I'm using JQuery for it and I'd really advise you to use it too in order to have the same behavior cross-browser.

For complementary info on the subject, check this:

The first thing to note is that a valid CORS request always contains an Origin header. This Origin header is added by the browser, and can not be controlled by the user. The value of this header is the scheme (e.g. http), domain (e.g. bob.com) and port (included only if it is not a default port, e.g. 81) from which the request originates; for example: http://api.alice.com.

The presence of the Origin header does not necessarily mean that the request is a cross-origin request. While all cross-origin requests will contain an Origin header, some same-origin requests might have one as well. For example, Firefox doesn't include an Origin header on same-origin requests. But Chrome and Safari include an Origin header on same-origin POST/PUT/DELETE requests (same-origin GET requests will not have an Origin header).

Source