Issue #1975 - Implement Origin header CSRF mitigation.

Backported from Mozilla bug 446344.
author: Job Bautista <jobbautista9@protonmail.com> 2022-07-25 18:56:46 +0800
committer: Job Bautista <jobbautista9@protonmail.com> 2022-07-25 18:56:46 +0800
commit: b20b9797dcb42766f9ad114e3093cb241f4258a0 (patch)
tree: 3b15dbc4ab2ff9705755974a86c0ee8e2023b264 /modules
parent: 6542ca6bcdf836ee1fb82b75d77adb0e9604b97b (diff)
download: uxp-b20b9797dcb42766f9ad114e3093cb241f4258a0.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index f391dd4739..d17082364a 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -1462,6 +1462,10 @@ pref("network.http.referer.XOriginTrimmingPolicy", 0);
 // 0=always send, 1=send iff base domains match, 2=send iff hosts match
 pref("network.http.referer.XOriginPolicy", 0);
 
+// Include an origin header on non-GET and non-HEAD requests regardless of CORS
+// 0=never send, 1=send when same-origin only, 2=always send
+pref("network.http.sendOriginHeader", 0);
+
 // Controls whether referrer attributes in <a>, <img>, <area>, <iframe>, and <link> are honoured
 pref("network.http.enablePerElementReferrer", true);
author	Job Bautista <jobbautista9@protonmail.com>	2022-07-25 18:56:46 +0800
committer	Job Bautista <jobbautista9@protonmail.com>	2022-07-25 18:56:46 +0800
commit	b20b9797dcb42766f9ad114e3093cb241f4258a0 (patch)
tree	3b15dbc4ab2ff9705755974a86c0ee8e2023b264 /modules
parent	6542ca6bcdf836ee1fb82b75d77adb0e9604b97b (diff)
download	uxp-b20b9797dcb42766f9ad114e3093cb241f4258a0.tar.gz