Canmove, confirm
1,537
edits
Changes
→When Sec-From is served (and when it is "null")
{| border="1" cellpadding="2"
|-
! API !! Send Origins origins? (no means "null") !! Workaround to Get Origin Value !! Notes
|-
! Anchor tag
| "null" NO || Convert to GET FORM || Many sites allow users to post links, so we don't want to send Origin with links
|-
! Window navigation
| "null" NO || Convert to GET FORM || Refers to anchor.href, window.location, window.open, ...? These are often used as equivalents to user generated links, making them susceptible to CSRF.
|-
! IMG
| "null" NO || || Images are easy to inject into a site.
|-
! iframe, embed, applet
| YES* || None || Embedding information useful to address clickjacking. *If ancestor tree is more than 1 deep, send Origin:"null"
|-
! Form (GET and POST)
|-
! stylesheets
| "null" NO || N/A || CSS is generally session-dependent and requests for such should not be state modifying.
|-
! dependent loads from stylesheets
| "null" NO || N/A || These are <tt>url()</tt> calls within CSS and are mainly images.
|-
! Redirects
