Firefox 3.5 Introduces Origin Header, Security Features
FireFox 3.5 was just released about a half hour ago. You can checkout all the new features for web developers here.
For me, as someone that does a lot of security research one of the most interesting new features is the
Origin http header that FireFox 3.5 now sends. The
Origin header when your browser makes a request the following types of requests: scripts, stylesheets, form GET & form POST, redirects, XMLHttpRequest (XHR, ajax), and frames.
You may be thinking, ok how is this different than the HTTP Referrer header. First, it only sends the domain name of the page, and second it doesn't have many privacy concerns (so hopefully people won't turn it off).
So how can this improve security?
Web Servers can block requests that send invalid
Origin headers, this will mitigate the risk of cross site request forgeries (CSRF), including JSON hijacking for people using browsers that support this feature.
You can read more about the origin header here.
- Ajax Same Origin Policy No More with Firefox 3.5 - June 30, 2009
- Firefox Now Supports HttpOnly Cookies - July 19, 2007
- csrfVerifyToken does not invalidate the token - February 6, 2019
- Firefox Aurora now Supports Content Security Policy 1.0 - May 31, 2013
- HTTP Strict Transport Security - September 17, 2010
- Redirect www and non https in IIS using web.config
- Not authorized to perform: ssm:GetParameters
- What is the difference between ASCII Chr(10) and Chr(13)
- Fixinator and Foundeo Security Bundle
- Running CFML on AWS Lambda with FuseLess Slides
- Updating Java on ColdFusion or Lucee
- ColdFusion returning empty response with server-error: true
- Careful applying CF11u16, CF2016u8, CF2018u2