Bug 144817 - Origin HTTP header not set to null after following cross-origin redirect
Summary: Origin HTTP header not set to null after following cross-origin redirect
Status: RESOLVED DUPLICATE of bug 144157
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified All
: P2 Normal
Assignee: Nobody
Keywords: InRadar
Depends on:
Reported: 2015-05-08 15:58 PDT by Brad Hill
Modified: 2015-05-11 12:29 PDT (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Brad Hill 2015-05-08 15:58:55 PDT
The HTTP Origin header, described by https://tools.ietf.org/html/rfc6454, allows a server to determine a user agent's view of where a request originated from.

RFC6454 allows this header to be multi-valued on redirects, but CORS (http://w3.org/TR/cors) implicitly requires it to be single-valued (because it specifies an exact string match comparison).
All major user agents implement single-valued behavior, and because of this must set the header to 'null' when a redirect crosses same-origin boundaries.  If the value of the original Origin is preserved after a 3xx redirect, it may result in a confused deputy vulnerability that allows bypass of CSRF protections.

For example, the issue described at the following post is enabled by this incorrect behavior:


Test cases are available at the following URLs:


WebKit is vulnerable by not setting Origin to null on cross-origin redirects on any 3xx status code which preserves the GET/POST payload.

A similar issue was reported to Blink for status code 308, and has since been patched, see:

Comment 1 Radar WebKit Bug Importer 2015-05-10 23:03:48 PDT
Comment 2 Alexey Proskuryakov 2015-05-11 12:29:58 PDT

*** This bug has been marked as a duplicate of bug 144157 ***