The Origin Header

已于 2024-05-25 14:56:06 修改
阅读量496 收藏 11
点赞数 11
分类专栏: Nnix with ME & GPT Security & ME & GPT 文章标签: WEB HTTP
于 2024-05-25 14:51:59 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_38233104/article/details/139197577
版权

The Origin header is a vital security feature in HTTP requests. It conveys the essential information about the source (origin) of a request to the server that receives it. This origin is comprised of three parts:

  • Scheme: This indicates the protocol used, like HTTP or HTTPS.
  • Hostname: This is the domain name of the website making the request (e.g., "www.example.com").
  • Port (optional): If a non-standard port is used (usually 80 for HTTP and 443 for HTTPS), it's also included in the Origin header.

Key Points:

  • Origin vs. Referer: The Origin header differs from the Referer header in a crucial way. While the Referer includes the entire URL with the path, the Origin omits the path information. This is done to prevent sensitive data, potentially within the path, from being revealed.
  • Browser-controlled: The browser automatically adds the Origin header to specific requests. Users cannot modify it directly.
  • When is it Sent? The Origin header is primarily included in two scenarios:
    • Cross-Origin Requests: Whenever a web page requests resources (scripts, images, etc.) from a different domain than its own, the Origin header is mandatory. This helps enforce security restrictions between domains (covered in CORS).
    • Same-Origin Requests (Modern Browsers): In some modern browsers, the Origin header might also be included in same-origin requests, particularly for methods like PUT, POST, and DELETE.

Role in CORS (Cross-Origin Resource Sharing)

The Origin header plays a central role in CORS, a security mechanism that governs how browsers handle requests between different domains. By including the Origin header, the browser informs the server about the request's origin. The server can then check its CORS configuration (using Access-Control-Allow-Origin header) to determine whether to allow or restrict the request based on its origin.

See

HTTP协议中的“X-Real-IP”头字段的作用是什么?底层原理是什么?-阿里云开发者社区

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

http - X-Original-For header: what's its purpose? - Stack Overflow

P("Struggler") ?
关注
  • 11
    点赞
  • 11
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
No Access-Control-Allow-Origin header is present on the requested resource.解决
是日已过,命亦随减的博客
06-10 1万+
出现此问题的原因是 所请求的资源上没有“ Access-Control-Allow-Origin”标头。 这个是域名的问题,比如你本地域名跟测试站域名冲突,因为在代码中已经设置成某个固定的域名了,所以请求接口的时候本地无法访问到测试站域名,所以要找到config文件最初配置域名的地方把他改成本地的域名就可以了 了。 解决跨域问题也很简单,在PHP代码中增加头部即可。 $header['Access-Control-Allow-Origin'] = '*'; $header['Access-Contr
解决方案 ‘Access-Control-Allow-Originheader in the response must not be the wildcard ‘*’
12-20
文中内容由本人测试和整理 环境 文中使用的环境是 "name": "vue-admin-template", "version": "3.8.0" using npm@6.4.1 using node@v10.14.2 先看三张图,正常都是服务器返回session,然后浏览器每次发请求都会...
解决The value of the ‘Access-Control-Allow-Originheader in the response must not be the wildcard ‘*‘
热门推荐
后端开发
05-31 1万+
1.问题描述: 前台vue项目中需要在request_header中传cookie给后台 但是控制台报错如下; Access to XMLHttpRequest at ‘http://192.168.0.230:9800/v1/user/wwwlogin’ from originhttp://192.168.0.230:8888’ has been blocked by CORS policy: Response to preflight request doesn’t pass access co
报错The Access-Control-Allow-Origin header contains multiple values
qq_33280027的博客
06-09 2656
遇到Access to XMLHttpRequest at 'http://api.leyou.com/api/item/category/list?pid=0' from origin 'http://manage.leyou.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'http://manage.leyou.com, *', but onl
ajax报错No Access-Control-Allow-Origin header is present on the requested resource
wh456413的博客
06-01 812
ajax报错Access to XMLHttpRequest at ‘xxx’ from origin ‘xxx’ has been blocked by CORS policy: No ‘Access-Control-Allow-Originheader is present on the requested resource 原先以为是跨域设置有问题,检查@CrossOrigin和配置类没问题后,终于发现了问题所在: jsp页面使用localhost进行ajax操作,跨域时jsp页面就会出现这种报
The 'Access-Control-Allow-Origin' header contains multiple values
gosenkle的专栏
10-31 3036
主要原因还是因为对该header属性做了多次操作,我的是因为使用了zuul,zuul默认会对header做操作   解决方案 zuul.ignored-headers=Access-Control-Allow-Credentials, Access-Control-Allow-Origin   或 zuul:   ignored-headers: Access-Control-All...
The ‘Access-Control-Allow-Originheader contains multiple values
java_Trainees的博客
03-20 4653
此错误表明我们我们进行了多个跨越配置的处理,而系统之认一个,所以需要删除,只留下一个就好。 1 gateway网关配置 2@CrossOrigin 注解 3 所引入的文件中带有对跨越的处理 4nginx进行了相关的配置(ngingx启动的情况下) ...
The value of the ‘Access-Control-Allow-Originheader in the response must not be the wildcard ‘*‘ w
weixin_43820434的博客
04-27 3225
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attri
解决No Access-Control-Allow-Origin header is present on the requested resource问题
liu1160848595的博客
05-06 4093
今天前端突然找到我,说让我解决跨域问题,我一脸懵逼,我以前接口也是这么写都没有跨域问题,现在怎么有了,他给我的错误截图如下: 好吧,第一次遇到,找了很久,找到一个最简单的方法: 如果是springboot项目,在controller上加@CrossOrigin即可解决: 当然,也可以在具体方法上面加,就看你想划分的粒度大小了。 如果不是springboot工程,可以参考:https://blo...
解决No Access-Control-Allow-Origin header is present on the requested跨域问题
weixin_45854715的博客
06-12 1372
今天在学习vue的时候,简单的做了一个前后端分离的测试, 通过axios请求本地项目的内容时报错: Failed to load http://localhost:8082/XXXX: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8082' is therefore not allowed access. If an opaque resp
静态文件访问不到报No Access-Control-Allow-Origin处理办法
06-11
静态文件访问不到报No 'Access-Control-Allow-Origin' header is present on the requested resource处理办法
Nginx配置跨域请求Access-Control-Allow-Origin * 详解
09-09
主要给大家介绍了关于Nginx配置跨域请求Access-Control-Allow-Origin * 的相关资料,文中通过示例代码介绍的非常详细,对大家学习或者使用Nginx具有一定的参考学习价值,需要的朋友们下面来一起学习学习吧
Vue 项目中遇到的跨域问题及解决方法(后台php)
01-19
The value of the ‘Access-Control-Allow-Originheader in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. The value of the ‘Access-Control-Allow-...
基于stm32f4系列单片机,ad7606的8通道16位的同步ADC例程。.zip
最新发布
06-16
基于stm32f4系列单片机,ad7606的8通道16位的同步ADC例程。
六数码问题..._lan.zip
06-16
六数码问题..._lan
ASP.NET旅游信息管理系统 asp.net(c#)+sql.zip
06-16
ASP.NET旅游信息管理系统 asp.net(c#)+sql
ListView 中的item随意拖动.zip
06-16
ListView 中的item随意拖动.zip
No Access-Control-Allow-Origin header is present on the requested resource.
09-15
No 'Access-Control-Allow-Origin' header is present on the requested resource是一个跨域问题。这个问题通常发生在前端访问后端接口时,由于安全限制,浏览器会阻止跨域请求。要解决这个问题,有几种方法可以尝试...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

P("Struggler") ?

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值