Hacker News new | ask | show | jobs
by paulddraper 1807 days ago
> Is the origin header flawed in some way?

tl;dr yes. It's not always sent.
1 comments
wronex 1806 days ago
This is true. Could we not disregard requests without an origin header?

According to [0] we can force CORS behaviour be using a non-simple request in our webapp. By setting the mime type to JSON for example.

0: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

link