Send "Origin" HTTP header on POST form submit

Confirmed Issue #10482384 • Assigned to Brandon M.


Steffen W.
Jan 10, 2017
This issue is public.
Found in
  • Microsoft Edge
Found in build #
Reported by 5 people

Sign in to watch or report this issue.

Steps to reproduce

Microsoft Edge should send the “Origin” HTTP header specified in RFC 6454 when submitting a POST form to aid CSRF mitigation. Chrome and Safari have implemented this header long ago. Firefox is about to implement it, see Firefox Bug #446344.

How to reproduce:

  1. Open Microsoft Edge 14
  2. Go to
  3. Open the “Network” tab of the F12 Developer Tools
  4. Click the “Submit” button
  5. Observe that the sent POST request does not have an “Origin” header

I’ve attached a screenshot that shows this scenario in a Microsoft Edge on Win 10 Stable (14.14393) VM.


Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Brad E.”

    Changed Assigned To from “Brad E.” to “Brandon M.”

    Changed Status to “Confirmed”

  • Is there an update on this? Still seems to happen in version 41.16299.371.0.

You need to sign in to your Microsoft account to add a comment.

Sign in