Origin field
Origin identifies the source origin associated with a request without a path.
- cors
- origins
- fields
Meaning
Origin serializes the origin associated with a request. For an HTTP(S) origin,
that includes scheme, host, and a non-default port, but no path, query, fragment,
or user information.
Origin: https://app.example.invalid
Expected result: a CORS-aware server can compare the exact serialized origin with its allowlist. The field states the caller context; it does not grant access.
The null value
Some sandboxed, local-file, data, or privacy-sensitive contexts serialize an
opaque origin as null. Treating null as a wildcard can unintentionally trust
multiple unrelated contexts.
Security boundary
Browsers control this forbidden request header in Fetch contexts. Servers must still authenticate and authorize requests; non-browser clients can construct HTTP requests outside the browser security model.
