Warning: This site documents the original and out-of-date Mozilla proposal for Content Security Policy.

The current and official Content Security Policy specification is undergoing standardization at the W3C Web Application Security Working Group and the latest revision of the specification can be found here:

CSP Specification

Content Security Policy originally addressed Cross Site Request Forgery through the Request-Source directive, but it has been removed from the proposal due to complexity, and network latency concerns. The Origin header provides an an effective alternative for CSRF mitigation as described below.

Browser vendors who wish to implement the Origin header should refer to the specification document for detailed information regarding when the request origin is sent versus when null is sent.

  • Cross Site Request Forgery (CSRF)
    • There are many good references that describe threat and impact of CSRF.
    • CSRF exploits a server's trust of the requests it receives from its clients. Attackers craft web content that, when viewed in the victim's browser, sends bogus requests to target websites on behalf of the victim.
  • Origin Header
    • CSRF can be mitigated through the implementation of a new HTTP header, Origin
    • Enables the client to send information about the origin of each request to the server. Servers can use this information to decide if each request is valid or not.
    • Improvement over the Referer header which is supressed by some user agents due to privacy concerns. Origin sends no path information, so there is no risk of leaking sensitive data in URL parameters. It can therefore be used reliably to determine the legitimacy of cross-site requests.

Further Details

This specification document will be used as the source of record in the Mozilla implementation of Origin.

The Origin header has been proposed in at least two places and the intent of the proposals are very similar:

  1. The W3C Access Control specification includes a section on the Origin Request Header.
  2. Adam Barth, Collin Jackson, and John C. Mitchell propose to implement Origin as a response to CSRF attacks.

Mozilla has a patch currently under development which implements Origin.

Overview | Details | Spec | Download | Demo | WordPress | Origin Header | Discussion