Steps to reproduce
Microsoft Edge should send the “Origin” HTTP header specified in RFC 6454 when submitting a POST form to aid CSRF mitigation. Chrome and Safari have implemented this header long ago. Firefox is about to implement it, see Firefox Bug #446344.
How to reproduce:
- Open Microsoft Edge 14
- Go to https://jsfiddle.net/steffenweber/8ef54tvg/
- Open the “Network” tab of the F12 Developer Tools
- Click the “Submit” button
- Observe that the sent POST request does not have an “Origin” header
I’ve attached a screenshot that shows this scenario in a Microsoft Edge on Win 10 Stable (14.14393) VM.
Comments and activity
- Microsoft Edge Team
Changed Assigned To to “Brad E.”
Changed Assigned To from “Brad E.” to “Brandon M.”
Changed Status to “Confirmed”