As you can see from this Bugzilla thread (and also), Firefox does not always send an Origin header in POST requests. The RFC states that it should not be sent in certain undefined "privacy-sensitive" contexts. Mozilla defines those contexts here.
I'd like to know whether these are the only situations in which Firefox will not send the Origin header. As far as I can tell, it also will not send it in cross-origin POST requests (though Chrome and Internet Explorer will), but I can't confirm that in the documentation. Is it enumerated somewhere that I'm missing?
As far as what the relevant specs actually require, the answer has a couple parts:
null
Here are the details:
null
The HTML spec uses the term opaque origin and defines it as an “internal value”:
with no serialization it can be recreated from (it is serialized as "null" per ASCII serialization of an origin), for which the only meaningful operation is testing for equality
In other words, everywhere the HTML spec says opaque origin, you can translate it to null
.
The HTML spec requires browsers to set an opaque origin or unique origin in these cases:
img
elements)video
and audio
elements)data:
URLiframe
with a sandbox
attribute that doesn’t contain the value allow-same-origin
createDocument()
, etc.The Fetch spec requires browsers to set the origin to a “globally unique identifier” (essentially the same thing as “opaque origin”, which basically means null
…) in one case:
The URL spec requires browsers to set an opaque origin in the following cases:
blob:
URLsfile:
URLshttp
, https
, ftp
, ws
, wss
, or gopher
But note that just because the browser has internally set an opaque origin—essentially null
—that doesn’t necessarily mean the browser will send an Origin
header. So see the next part of this answer for details about when browsers must send the Origin
header.
Browsers send the Origin
header for WebSocket requests and for cross-origin requests initiated by a fetch()
or XHR call, or by an ajax method from a JavaScript library (axios, jQuery, etc.) — but not for normal page navigations (that is, when you open a web page directly in a browser), and not (normally) for resources embedded in a web page (for example, not for CSS stylesheets, scripts, or images).
But that’s a simplification. There are cases other than WebSocket requests and cross-origin XHR/fetch/ajax calls when browsers send the Origin
header, and cases when browsers send the Origin
header for embedded resources. So what follows below is the longer answer.
In terms of spec requirements: The spec requires the Origin
header to always be sent for WebSocket requests and for any request which the Fetch spec defines as a CORS request:
A CORS request is an HTTP request that includes an
Origin
header. It cannot be reliably identified as participating in the CORS protocol as theOrigin
header is also included for all requests whose method is neitherGET
norHEAD
.
So, what the spec means there is: The Origin
header is sent in all cross-origin requests, but it’s also always sent for all POST
, PUT
, PATCH
, and DELETE
requests — even for same-origin POST
, PUT
, PATCH
, and DELETE
requests (which by definition in Fetch are actually “CORS requests” — even though they’re same-origin).*
The other cases when browsers must send the Origin
header are any cases where a request is made with the “CORS flag” set — which, as far as HTTP(S) requests, is except when the request mode is navigate
, websocket
, same-origin
, or no-cors
.
XHR always sets the mode to cors
. But with the Fetch API, those request modes are the ones you can set with the mode
field of the init-object argument to the fetch(…)
method:
fetch("http://example.com", { mode: 'no-cors' }) // no Origin will be sent
Font requests always have the mode set to cors
and so always have the Origin
header.
And for any element with a crossorigin
attribute (aka “CORS setting attribute”), the HTML spec requires browsers to set the request mode to cors
(and to send the Origin
header).
Otherwise, for embedded resources — any elements having attributes with URLs that initiate requests (<script src>
, stylesheets, images, media elements) — the mode for the requests defaults to no-cors
; and since those requests are GET
requests, that means, per-spec, browsers send no Origin
header for them.
When HTML form elements initiate POST
requests, the mode for those POST
s also defaults to no-cors
— in the same way embedded resources have their mode defaulted to no-cors
. However, unlike the no-cors
mode GET
requests for embedded resources, browsers do send the Origin
header for those no-cors
mode POST
s initiated from HTML form elements.
The reason for that is, as mentioned earlier in this answer, browsers always send the Origin
header in all POST
, PUT
, PATCH
, and DELETE
requests.
Also, for completeness and to be clear: For navigations, browsers send no Origin
header. That is, if a user navigates directly to a resource — by pasting a URL into an address bar, or by following a link from another web document — then browsers send no Origin
header.
* The algorithm in the Fetch spec that requires browsers to send the Origin
header for all CORS requests is this:
To append a request Origin
header, given a request request, run these steps:
1. Let serializedOrigin be the result of byte-serializing a request origin with request.
2. If request’s response tainting is "cors
" or request’s mode is "websocket
", then
append Origin
/serializedOrigin to request’s header list.
3. Otherwise, if request’s method is neither GET
nor HEAD
,
then: [also send the Origin
header in that case too]
Step 2 there is what requires the Origin
header to be sent in all cross-origin requests — because all cross-origin requests have their response tainting set to "cors
".
But step 3 there requires the Origin
header to also be sent for same-origin POST
, PUT
, PATCH
, and DELETE
requests (which by definition in Fetch are actually “CORS requests” — even though they’re same-origin).
The above describes how the Fetch spec currently defines the requirements, due to a change that was made to the spec on 2016-12-09. Up until then the requirements were different:
• previously no Origin
was sent for a same-origin POST
• previously no Origin
was sent for cross-origin POST from a <form>
(without CORS)
So the Firefox behavior the question describes is what the spec previously required, not what it currently requires.