Maciej Stachowiak wrote on 1/16/2009 4:40 PM: > Such hotlinking is probably using a GET request, so no Origin header > would be sent. I believe it is also outside the scope of the CSRF > protection and cross-origin data sharing goals of Origin. The Referer > header is still usable for hotlinking prevention in this scenario, the > only downside being that it is apparently often filtered by sites or > users for privacy reasons.
Ha, well, mea culpa. I was imaging it from the endpoint receiving an Origin header, then how it could be deceptive in the case of a redirect. If anything, I guess my scenario would be an argument against sending Origin for non-Access-Control GET requests. Thanks for keeping me straight. As for the hotlinking, I wasn't implying that Origin should (or can) be used to combat it. I saw it as an example of how the Origin header may have the side-effect of being used for other purposes simply by being present in the request. - Bil