Chrome adding Origin header to same-origin request

Question

We\'re POSTing an AJAX request to a server running locally, i.e.

xhr.open(\"POST\", \"http://localhost:9000/context/request\");
xhr.addHeader(someCustomHeade         


        

Answer 1

Chrome and Safari include an Origin header on same-origin POST/PUT/DELETE requests (same-origin GET requests will not have an Origin header). Firefox doesn't include an Origin header on same-origin requests. Browsers don't expect CORS response headers on same-origin requests, so the response to a same-origin request is sent to the user, regardless of whether it has CORS headers or not.

I would recommend checking the Host header, and if it matches the domain in the Origin header, don't treat the request as CORS. The headers look something like this:

Host: example.com
Origin: http://example.com

Note that Origin will have the scheme (http/https), domain and port, while Host will only have the domain and port.

Answer 2

According to RFC 6454 - The Web Origin Concept - the presence of Origin is actually legal for any HTTP request, including same-origin requests:

http://tools.ietf.org/html/rfc6454#section-7.3

"The user agent MAY include an Origin header field in any HTTP request."