• caglararli@hotmail.com
  • 05386281520

Is the Origin header trustworthy for requests sent by the browser?

Çağlar Arlı      -    10 Views

Is the Origin header trustworthy for requests sent by the browser?

In another question, I implied that an application can check the Origin request header to determine where the request is from. I was under the assumption that the browser sets this to the origin of the domain the request originates from, and that this cannot be influenced by the website that performs the request. Is that correct?

A comment notes:

A client can set the Origin to anything they want, even in a browser. So the server cannot rely on this at all.

How can a website change the origin header in requests that it performs?

I tried this, but it does not change the Origin header:

fetch('https://example.com/', {
  headers: {
    'Origin': 'https://security.stackexchange.com',
  }
})

MDN says that Origin is a "Forbidden header name", and that it cannot be changed. Is that right?