Steps to reproduce
Microsoft Edge should send the “Origin” HTTP header specified in RFC 6454 when submitting a POST form to aid CSRF mitigation. Chrome and Safari have implemented this header long ago. Firefox is about to implement it, see Firefox Bug #446344.
How to reproduce:
- Open Microsoft Edge 14
- Go to https://jsfiddle.net/steffenweber/8ef54tvg/
- Open the “Network” tab of the F12 Developer Tools
- Click the “Submit” button
- Observe that the sent POST request does not have an “Origin” header
I’ve attached a screenshot that shows this scenario in a Microsoft Edge on Win 10 Stable (14.14393) VM.
Comments and activity
- Microsoft Edge Team
Changed Assigned To to “Brad E.”
Changed Assigned To from “Brad E.” to “Brandon M.”
Changed Status to “Confirmed”
Is there an update on this? Still seems to happen in version 41.16299.371.0.