Mozilla Connect

I notice that when there is a HTTP request for an iframe in Firefox, the request headers do not include the "Origin" header. Below, I present a few reasons that browsers should include the Origin header whenever sending a request for iframe content:

First, for content that is designed to be included in an iframe, it is difficult to only render the page for an allowed set of domains, especially if it is a large list of domains or the website owner wants to keep the allowed list of domains private. They might not want to send this header:

Content-Security-Policy: frame-ancestors 'self' customer.one.com customer.two.com customer.three.com etc.com

If browsers start to include the "Origin" header with iframe HTTP requests, we can dynamically check if the origin is allowed, and then embed it. We can start to get some of the additional security benefits that are used for CORS. For instance:

// If origin 'allowed.domain.com' is allowed, send short header with that domain:
Content-Security-Policy', "frame-ancestors 'self' allowed.domain.com
// else
Content-Security-Policy', "frame-ancestors 'self'

 
iframes are often used by payment processors to help reduce the chance that third party JavaScript on a checkout page can read the sensitive credit card inputs without being detected. Often, websites have third party JavaScript for analytics, marketing, social media, etc. If one of those JavaScript files gets compromised, then the iframe fields are still safe from key loggers. You will find that they need to use a nonce or token to try and make sure the iframe is on the merchant's website and not copied into some other website (maybe to try a card testing attack). Having the Origin header sent by the browser will help make it easier to identify when someone is including an iframe on an unauthorized website.