Origin header
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since July 2020.
The HTTPOriginrequest header indicates theorigin (scheme, hostname, and port) thatcaused the request.For example, if a user agent needs to request resources included in a page, or fetched by scripts that it executes, then the origin of the page may be included in the request.
| Header type | Request header |
|---|---|
| Forbidden request header | Yes |
Syntax
Origin: nullOrigin: <scheme>://<hostname>Origin: <scheme>://<hostname>:<port>Directives
nullThe origin is "privacy sensitive", or is anopaque origin (specific cases are listed in thedescription section).
<scheme>The protocol that is used.Usually, it is the HTTP protocol or its secured version, HTTPS.
<hostname>The domain name or the IP address of the origin server.
<port>OptionalPort number on which the server is listening.If no port is given, the default port for the requested service is implied from the scheme (e.g.,
80for an HTTP URL).
Description
TheOrigin header is similar to theReferer header, but does not disclose the path, and may benull.It is used to provide the security context for the origin request, except in cases where the origin information would be sensitive or unnecessary.
Broadly speaking, user agents add theOrigin request header to:
- cross origin requests.
- same-origin requests except for
GETorHEADrequests (i.e., they are added to same-originPOST,OPTIONS,PUT,PATCH, andDELETErequests).
There are some exceptions to the above rules; for example, if a cross-originGET orHEAD request is made inno-cors mode, theOrigin header will not be added.
TheOrigin header value may benull in a number of cases, including (non-exhaustively):
- Origins whosescheme is not one of
http,https,ftp,ws,wss, orgopher(includingblob,fileanddata). - Cross-origin images and media data, including that in
<img>,<video>and<audio>elements. - Documents created programmatically using
createDocument(), generated from adata:URL, or that do not have a creator browsing context. - Redirects across origins.
- Documents served with the
Content-Security-Policysandboxdirective whose value doesn't includeallow-same-origin. - iframes with a sandbox attribute whose value doesn't include
allow-same-origin. - Responses that are network errors.
Referrer-Policyset tono-referrerfor non-corsrequest modes (e.g., basic form posts).
Note:There is a more detailed listing of cases that may returnnull on Stack Overflow:When do browsers send the Origin header? When do browsers set the origin to null?
Examples
Origin: https://developer.mozilla.orgOrigin: https://developer.mozilla.org:80Specifications
| Specification |
|---|
| The Web Origin Concept # section-7 |
| Fetch # origin-header |