Why does Firefox not always send the HTTP Origin header for POST requests?

15
votes

I'm exploring the idea of HTTP Origin checks as CSRF protection for Drupal at https://www.drupal.org/node/1803712

Now I was testing how the Origin header arrives with a POST request, but Firefox does not send the Origin header on the user login form submission. Chromium and Chrome work fine, they send the Origin header.

Firefox version is 36.0.1. I also tested with a clean Firefox installation because I thought maybe some of my browser plugins suppress the Origin header, but no luck - no Origin header there either.

Is there a documentation page that describes when Firefox sends the Origin header and when not?

2
httpfirefox
Yes, that's a good question, and I'm surprised there aren't any answers, since it basically applies to all web API developers out there. It does make CSRF protection rather more complicated than it should be.Bart van Heukelom

2 Answers

6
votes

Is isn't implemented yet. There's a discussion here: https://bugzilla.mozilla.org/show_bug.cgi?id=446344

2
votes

The default on Firefox is not to send HTTP_ORIGIN.

The reason is a bug that causes hangs on some mobile Firefox versions if the network.http.sendOriginHeader configuration variable (accessible via about:config) is enabled. (For details see https://developer.mozilla.org/en-US/Firefox/Experimental_features#Security and the link provided by Marco's comment https://bugzilla.mozilla.org/show_bug.cgi?id=446344.)

There is a proposal to enable FF sending HTTP_ORIGIN by default, but the TODO list is long (see https://bugzilla.mozilla.org/show_bug.cgi?id=1424076). So it will probably take years until FF will generally send HTTP_ORIGIN even without Javascript code enabling CSRF.

Some FOSS OSes preconfigure their FF ports to send HTTP_ORIGIN by default. BTW, MS Edge also does not send HTTP_ORIGIN without explicitly enabling CSRF using Javascript.

For this reason I have implemented a security setting of my site which enables the users to disallow POST transactions from browsers that do not provide HTTP_ORIGIN.