Nice! Great thing to build as a Worker, since it can be layered on top of basically any web service without having to change the server code.
Have you had any trouble with some browsers not sending either Origin or Referer, even for legitimate same-origin requests? I seem to remember trying this approach myself several years ago and finding that some users' browsers seemed not to send either header, but I never got a chance to dig into it, and I might be mis-remembering...
I've seen that (current) browsers won't send Origin / Referer Header for GET and HEAD requests, so I'm whitelisting these request types.
Other than that, it seems that IE is not sending the Origin Header for POST requests, so I simply use the Referer Header in this scenario.
Assume an attacker site sets the Referrer Policy header to no-referrer, IE sends no Referer / Origin at all for POST requests, so I block those requests.
The real origin must thus not have a Referrer Policy of "no-referrer".
Other than that, I'm observing the impact of the rule in production but haven't encountered any problems thus far.
2 comments
[ 3.6 ms ] story [ 16.2 ms ] threadHave you had any trouble with some browsers not sending either Origin or Referer, even for legitimate same-origin requests? I seem to remember trying this approach myself several years ago and finding that some users' browsers seemed not to send either header, but I never got a chance to dig into it, and I might be mis-remembering...
Other than that, it seems that IE is not sending the Origin Header for POST requests, so I simply use the Referer Header in this scenario.
Assume an attacker site sets the Referrer Policy header to no-referrer, IE sends no Referer / Origin at all for POST requests, so I block those requests.
The real origin must thus not have a Referrer Policy of "no-referrer".
Other than that, I'm observing the impact of the rule in production but haven't encountered any problems thus far.