Canmove, confirm
1,537
edits
Changes
→Origin header format
In order to provide enough information that makes this Origin header useful for more server-side protections (other than just CSRF), the origin of a request may be sent (or the string "null") as well as a list of any redirects that led to the final request.
The Origin header is described in [http://tools.ietf.org/html/draft-abarth-origin-05 an internet draft by Adam Barth, Collin Jackson and Ian Hickson]. The general format of the Origin header will be:
Origin: <origin> [<origin>]*
An <tt><origin></tt> is a combination of scheme, host and port. Unlike HTTP Referer, no path data or query string will be provided in the origin.
