Additionally, a state-changing request might not be actually intended: an open redirect might be exploited, thus spoofing the content submission. Some sites post data cross-site when they own multiple domains. While this one-bit approach can be effective against CSRF, it doesn't seem robust enough for deployment. One similar approach to solving CSRF is to send a "Same-Origin" header with requests, setting its value to "YES" if the referrer is of the same origin as the requested content and "NO" otherwise. This section attempts to describe some of the decisions made and the reasoning behind them.
Much discussion and debate went on when considering how to design this feature. This Origin may be a host name or the string "null" in the cases where a request may have been falsely or deceptively generated. This is accomplished by specifying a list of sites that indirectly caused a request (the redirect chain) and the immediate "Origin" of a request, or the entity that most recently caused the request to happen. Generally, the Origin header aims to provide a bit of context with HTTP requests so that servers may make educated decisions on whether or not to serve data, accept request data for state-changing transactions, or continue with a persistent session. In other scenarios, like form submissions, state-changing transactions should be accepted but should be authenticated so the server knows what site generated the request. In many scenarios, like the two mentioned, state changing transactions should not be allowed. CSRF Cross-site request forgeries are often GET requests assembled and sent through the use of an automatic load (like an img or script tag). If the origin of a script request were provided, web servers could decide whether or not to serve JSON data. JSON data theft Data served via JSON (and imported using a script tag) can be stolen if the origin of a JSON request is not authenticated. The information provided by Origin-a bit of contextual request-creation information-should provide hints to web servers about trustworthiness of requests in all three of these situations. The Origin header is considered helpful against JSON data theft and CSRF attacks. This page contains collected thoughts generated in discussion and deep thinking about implementing some type of Origin-like header. Origin header proposal for CSRF and clickjacking mitigation 2.1 When Origin is served (and when it is "null").1.1.4 Firewall-based Origin header scrubbing.1.1.1 Advantage of more than one bit of data.1 Origin header proposal for CSRF and clickjacking mitigation.