CORS is NOT enough to mitigate CSRF attacks, yet.

It may be tempting to drop the CSRF tokens – CORS is giving us powerful mechanism for discovering that request was sent from different origin – the Origin header. Unfortunately it’s not yet implemented well (to my personal preference) by all industry-leading browsers, so we cannot rely on this header just yet.

You should be aware that Mozilla Firefox is not sending Origin header for cross-origin form POST requests. The bug is resolved but it’s still experimental feature which is disabled by default.

The Internet Explorer and Edge doesn’t do any better – no Origin header is sent when posting form (didn’t bother to find if this is a bug or feature in this case – just checked how it behaves).

Google Chrome does good job in that topic – a simple form posted to different origin contains Origin header.

If only all cross-origin, non-get requests contained Origin header, the web would be a better place… ;).

Useful References:

Leave a Comment