Hacker News new | past | comments | ask | show | jobs | submit login

I'm talking about the Origin header, which is present on XHR requests and cannot be assigned by code. A CSRF token is not necessary if you require Origin because the origin is not sent with standard HTML forms.

It can be inside of insecure browsers, you're not any more secure than you were before after CORS.

Users with insecure browsers are subjecting themselves to security vulnerabilities, not me. In this case, the service just wouldn’t work for them. Not overly worried about those users because they represent a diminishingly small portion of our user base.

The problem is that you can be unaware. It's also not tracked as a metric. Nobody knows how large or small it is.

Also, it's easily bypassed.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact