Origin field

Origin identifies the source origin associated with a request without a path.

  • cors
  • origins
  • fields

Meaning

Origin serializes the origin associated with a request. For an HTTP(S) origin, that includes scheme, host, and a non-default port, but no path, query, fragment, or user information.

Origin: https://app.example.invalid

Expected result: a CORS-aware server can compare the exact serialized origin with its allowlist. The field states the caller context; it does not grant access.

The null value

Some sandboxed, local-file, data, or privacy-sensitive contexts serialize an opaque origin as null. Treating null as a wildcard can unintentionally trust multiple unrelated contexts.

Security boundary

Browsers control this forbidden request header in Fetch contexts. Servers must still authenticate and authorize requests; non-browser clients can construct HTTP requests outside the browser security model.

Primary sources