On Mon, Apr 6, 2009 at 2:09 PM, Bil Corry <b...@corry.biz> wrote: > Can we please include the Origin header for all same-origin requests, > including GET and HEAD? Or is there a compelling reason why not do to so? > > Also, would there be value in having Origin sent for *all* requests, and if > populating Origin is prohibited for that request (e.g. cross-origin GET), it > sends "null" as the value?
In order to make the Origin header a workable CSRF defense for GET, we'd have to send "null" on cross-origin GET requests (otherwise the attacker can suppress the header by making a GET request from another origin). However, this is inconsistent with CORS. Adam