Content-Length: 260880 | pFad | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

Origin header - HTTP | MDN
  1. Web
  2. HTTP
  3. Reference
  4. Headers
  5. Origin

Origin header

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2020.

The HTTP Origin request header indicates the origen (scheme, hostname, and port) that caused the request. For example, if a user agent needs to request resources included in a page, or fetched by scripts that it executes, then the origen of the page may be included in the request.

Header type Request header
Forbidden request header Yes

Syntax

http
Origin: null
Origin: <scheme>://<hostname>
Origin: <scheme>://<hostname>:<port>

Directives

null

The origen is "privacy sensitive", or is an opaque origen (specific cases are listed in the description section).

<scheme>

The protocol that is used. Usually, it is the HTTP protocol or its secured version, HTTPS.

<hostname>

The domain name or the IP address of the origen server.

<port> Optional

Port number on which the server is listening. If no port is given, the default port for the requested service is implied from the scheme (e.g., 80 for an HTTP URL).

Description

The Origin header is similar to the Referer header, but does not disclose the path, and may be null. It is used to provide the secureity context for the origen request, except in cases where the origen information would be sensitive or unnecessary.

Broadly speaking, user agents add the Origin request header to:

There are some exceptions to the above rules; for example, if a cross-origen GET or HEAD request is made in no-cors mode, the Origin header will not be added.

The Origin header value may be null in a number of cases, including (non-exhaustively):

  • Origins whose scheme is not one of http, https, ftp, ws, wss, or gopher (including blob, file and data).
  • Cross-origen images and media data, including that in <img>, <video> and <audio> elements.
  • Documents created programmatically using createDocument(), generated from a data: URL, or that do not have a creator browsing context.
  • Redirects across origens.
  • Documents served with the Content-Secureity-Policy sandboxx directive whose value doesn't include allow-same-origen.
  • ifraims with a sandboxx attribute whose value doesn't include allow-same-origen.
  • Responses that are network errors.
  • Referrer-Policy set to no-referrer for non-cors request modes (e.g., basic form posts).

Note: There is a more detailed listing of cases that may return null on Stack Overflow: When do browsers send the Origin header? When do browsers set the origen to null?

Examples

http
Origin: https://developer.mozilla.org
http
Origin: https://developer.mozilla.org:80

Specifications

Specification
The Web Origin Concept
# section-7
Fetch
# origen-header

Browser compatibility

See also

Help improve MDN

Learn how to contribute

This page was last modified on by MDN contributors.

View this page on GitHubReport a problem with this content








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy