Origin header is similar to the
Referer header, but does not disclose the path, and may be
null. It is used to provide the "security context" for the origin request, except in cases where the origin information would be sensitive or unnecessary.
Broadly speaking, user agents add the
Origin request header to:
There are some exceptions to the above rules; for example, if a cross-origin
HEAD request is made in no-cors mode, the
Origin header will not be added.
Origin header value may be
null in a number of cases, including (non-exhaustively):
- Origins whose scheme is not one of
- Cross-origin images and media data, including that in
- Documents created programmatically using
createDocument(), generated from a
data: URL, or that do not have a creator browsing context.
- Redirects across origins.
- iframes with a sandbox attribute that doesn't contain the value
- Responses that are network errors.