| title | Origin header |
|---|---|
| short-title | Origin |
| slug | Web/HTTP/Reference/Headers/Origin |
| page-type | http-header |
| browser-compat | http.headers.Origin |
| sidebar | http |
The HTTP Origin {{Glossary("request header")}} indicates the {{glossary("origin")}} (scheme, hostname, and port) that caused the request.
For example, if a user agent needs to request resources included in a page, or fetched by scripts that it executes, then the origin of the page may be included in the request.
| Header type | {{Glossary("Request header")}} |
|---|---|
| {{Glossary("Forbidden request header")}} | Yes |
Origin: null
Origin: <scheme>://<hostname>
Origin: <scheme>://<hostname>:<port>null- : The origin is "privacy sensitive", or is an opaque origin as defined by the HTML specification (specific cases are listed in the description section).
<scheme>- : The protocol that is used. Usually, it is the HTTP protocol or its secured version, HTTPS.
<hostname>- : The domain name or the IP address of the origin server.
<port>{{optional_inline}}- : Port number on which the server is listening.
If no port is given, the default port for the requested service is implied from the scheme (e.g.,
80for an HTTP URL).
- : Port number on which the server is listening.
If no port is given, the default port for the requested service is implied from the scheme (e.g.,
The Origin header is similar to the {{HTTPHeader("Referer")}} header, but does not disclose the path, and may be null.
It is used to provide the security context for the origin request, except in cases where the origin information would be sensitive or unnecessary.
Broadly speaking, user agents add the Origin request header to:
- {{Glossary("CORS", "cross origin")}} requests.
- same-origin requests except for {{HTTPMethod("GET")}} or {{HTTPMethod("HEAD")}} requests (i.e., they are added to same-origin {{HTTPMethod("POST")}}, {{HTTPMethod("OPTIONS")}}, {{HTTPMethod("PUT")}}, {{HTTPMethod("PATCH")}}, and {{HTTPMethod("DELETE")}} requests).
There are some exceptions to the above rules; for example, if a cross-origin {{HTTPMethod("GET")}} or {{HTTPMethod("HEAD")}} request is made in no-cors mode, the Origin header will not be added.
The Origin header value may be null in a number of cases, including (non-exhaustively):
- Origins whose scheme is not one of
http,https,ftp,ws,wss, orgopher(includingblob,fileanddata). - Cross-origin images and media data, including that in {{HTMLElement("img")}}, {{HTMLElement("video")}} and {{HTMLElement("audio")}} elements.
- Documents created programmatically using {{domxref("DOMImplementation.createDocument", "createDocument()")}}, generated from a
data:URL, or that do not have a creator browsing context. - Redirects across origins.
- Documents served with the {{HTTPHeader("Content-Security-Policy")}}
sandboxdirective whose value doesn't includeallow-same-origin. - {{HTMLElement("iframe", "iframes")}} with a sandbox attribute whose value doesn't include
allow-same-origin. - Responses that are network errors.
- {{HTTPHeader("Referrer-Policy")}} set to
no-referrerfor non-corsrequest modes (e.g., basic form posts).
Note
There is a more detailed listing of cases that may return null on Stack Overflow: When do browsers send the Origin header? When do browsers set the origin to null?
Origin: https://developer.mozilla.orgOrigin: https://developer.mozilla.org:80{{Specifications}}
{{Compat}}
- {{HTTPHeader("Host")}}
- {{HTTPHeader("Referer")}}
- Same-origin policy
- When do browsers send the Origin header? When do browsers set the origin to null? (Stack Overflow)