48

I have a question about the working of the Origin and Host HTTP headers.

I have an Ajax page "Page A" which will call the Ajax feed "Page B".

I saw that the request header of "Page B" from the Ajax call contains the headers:

Origin: http://example.com
Host: example.com

However, if I call the "Page B" directly, the request header will only contain the Host header:

Host: example.com

Thus, I want to know what is the difference between the Origin and Host headers, and why they show up on non-direct calls?

Can Origin be prepended and passed to server?

bruno
  • 2,213
  • 1
  • 19
  • 31
user192344
  • 1,274
  • 6
  • 22
  • 36

1 Answers1

99

The Host is the domain the request is being sent to. This header was introduced so hosting sites could include multiple domains on a single IP.

The Origin header is the domain the request originates from.

The Host header is always included. The Origin header is included sometimes: It is always included on cross-origin requests (across all browsers), and in Chrome/Safari, it is also included on same-origin PUT/POST/DELETE requests. Same-origin GET requests do not include an Origin header.

monsur
  • 45,581
  • 16
  • 101
  • 95
  • 2
    Thx for the answer, same as above reference link, BTW Can origin be pretended and pass to server – user192344 Dec 14 '12 at 03:12
  • 4
    Origin can't be faked from a browser. A user could use curl in order to craft an HTTP request with an Origin header, but this won't be a typical use case. It is not recommended to use CORS as a security mechanism; if you are trying to secure content, you should also have some auth mechanism such as OAuth2. – monsur Dec 14 '12 at 03:29
  • 1
    Thx for the answer, im would not use it as security mechanism; ^^ – user192344 Dec 14 '12 at 09:12
  • 3
    It's worth mentioning that some browsers (Chrome, Safari, maybe others) do include the Origin header on Ajax POST requests on same domain requests (but not GET requests) – Jake Feasel Jan 21 '13 at 17:40
  • 2
    @user192344, Yes origin can be "faked" from the browser, but it involves an DNS attack to be able to do so (think DNS poisoning / DNS rebinding). Basically, we corrupt the layer below the browser so it thinks that it is having real values. – Pacerier Jan 26 '16 at 20:04