Chrome extension AJAX request without Origin header

Question

This is what an AJAX request made with jQuery from a Chrome extension looks like ( print_r() in php)

Array
(
    [HTTP_HOST] => 127.0.0.1
    [HTTP_CONNECTION] => keep-alive
    [CONTENT_LENGTH] => 0
    [HTTP_ACCEPT] => */*
    [HTTP_ORIGIN] => chrome-extension://apdckddecfflophongckfbabbjhnjbph
    [HTTP_USER_AGENT] => Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.123 Safari/537.36
..

How can I remove the Origin header from an AJAX request before it leaves the browser?

Answer 1

Just add the website to the permissions section of your manifest file (see match patterns for the valid formats). Then the request will be treated as if it was sent from the same origin as the website, and the "Origin" request header will not be added.

{
    ...
    "permissions": [
        "*://example.com/*"
    ]
}

(without this permission, Chrome will still try to fetch the resource using CORS , causing the "Origin" header to be added. Such requests will only succeed if the server replies with an Access-Control-Allow-Origin header that is either a wildcard ( * ) or matches the requester's origin.)

Answer 2

The origin header is added by browser automatically, and can't be controlled by user. It is a web principal which determine the origin of a piece of content from the URI. CORS also uses this header to determine if this cross-domain request could be accpeted or rejected.

Origin header always be added in cross-origin request, some same-origin request might include it as well. For example, Chrome and Safari will include the origin header on same-origin POST/PUT/DELETE request, it depends on browser implementation.

Unfortunately, I think there is no way to remove this header.