https://stackoverflow.com/questions/13851946/header-origin-vs-host
The Host is the domain the request is being sent to. This header was introduced so hosting sites could include multiple domains on a single IP.
The Origin header is the domain the request originates from.
The Host header is always included. The Origin header is included sometime
Browser send origin header for PUT PUT, PATCH, DELETE request
https://stackoverflow.com/questions/42239643/when-do-browsers-send-the-origin-header-when-do-browsers-set-the-origin-to-null/42242802
So, what the spec means there is: The Origin header is sent in all cross-origin requests, but it’s also always sent for all POST, PUT, PATCH, and DELETE requests — even for same-origin POST, PUT, PATCH, and DELETE requests (which by definition in Fetch are actually “CORS requests” — even though they’re same-origin).*
For every user-agent(client) request, IP will always be user -agent(Client IP), for HTTP reqeust header origin, browser will automatically set to be the domain request is send from. which is domain client-agent retrieves the page that is used to send the reuqest Like google.com.
If request is send a different HOST than origin, for example origin google.com. host try.com, browser triggers CORS . Send a pre flight to see if access-control-allow-origin is there from server response to preflight
https://stackoverflow.com/questions/34972040/user-ip-and-useragent
since any request you make in JS will come from that client. This means that whatever server is receiving that request will be able to see the IP natively
No comments:
Post a Comment