Send "Origin" HTTP header on POST form submit

Confirmed Issue #10482384 • Assigned to Brandon M.

Details

Author
Steffen W.
Created
Jan 10, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
14.14393
Reports
Reported by 5 people

Sign in to watch or report this issue.

Steps to reproduce

Microsoft Edge should send the “Origin” HTTP header specified in RFC 6454 when submitting a POST form to aid CSRF mitigation. Chrome and Safari have implemented this header long ago. Firefox is about to implement it, see Firefox Bug #446344.

How to reproduce:

  1. Open Microsoft Edge 14
  2. Go to https://jsfiddle.net/steffenweber/8ef54tvg/
  3. Open the “Network” tab of the F12 Developer Tools
  4. Click the “Submit” button
  5. Observe that the sent POST request does not have an “Origin” header

I’ve attached a screenshot that shows this scenario in a Microsoft Edge on Win 10 Stable (14.14393) VM.

Attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Brad E.”

    Changed Assigned To from “Brad E.” to “Brandon M.”

    Changed Status to “Confirmed”

  • Is there an update on this? Still seems to happen in version 41.16299.371.0.

You need to sign in to your Microsoft account to add a comment.

Sign in