Skip to content

Commit

Permalink
Origin instead of Host
Browse files Browse the repository at this point in the history 
the invoking page is sent in the Origin header with CORS requests
  • Loading branch information
@gdamjan
gdamjan committed Nov 17, 2018
1 parent a84419d commit 1037457
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/Http.elm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -772,7 +772,7 @@ This is called [`withCredentials`][wc] in JavaScript, and it allows a couple
other risky things as well. It can be useful if `www.example.com` needs to
talk to `uploads.example.com`, but it should be used very carefully!
For example, every HTTP request includes a `Host` header revealing the domain,
For example, every HTTP request includes a `Origin` header revealing the domain,
so any request to `facebook.com` reveals the website that sent it. From there,
cookies can be used to correlate browsing habits with specific users. “Oh, it
looks like they visited `example.com`. Maybe they want ads about examples!”
Expand Down

0 comments on commit 1037457

Please sign in to comment.