Send "Origin" HTTP header on POST form submit

Confirmed Issue #10482384 • Assigned to Brandon M.

Details

Author
Steffen W.
Created
Jan 10, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
14.14393
Reports
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

Microsoft Edge should send the “Origin” HTTP header specified in RFC 6454 when submitting a POST form to aid CSRF mitigation. Chrome and Safari have implemented this header long ago. Firefox is about to implement it, see Firefox Bug #446344.

How to reproduce:

  1. Open Microsoft Edge 14
  2. Go to https://jsfiddle.net/steffenweber/8ef54tvg/
  3. Open the “Network” tab of the F12 Developer Tools
  4. Click the “Submit” button
  5. Observe that the sent POST request does not have an “Origin” header

I’ve attached a screenshot that shows this scenario in a Microsoft Edge on Win 10 Stable (14.14393) VM.

Attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Brad E.”

    Changed Assigned To from “Brad E.” to “Brandon M.”

    Changed Status to “Confirmed”

You need to sign in to your Microsoft account to add a comment.

Sign in