Latest revision: 2022-07-11.
This simple gist sheds a bit of light on CORS and indicating an HTTP request origin. Should be easy to trick the server by setting Origin header, right? Not really.
CORS is a browser mechanism build around the forbidden Origin request header. That means the browser/user agent is in charge of telling the server where the request originates from. Setting the header manually/with code has no effect.
An HTTP-header based mechanism that allows a server to indicate any origins other than its own from which a browser should permit loading resources.
(source: Cross-Origin Resource Sharing (CORS))
A browser mechanism which enables controlled access to resources located outside of a given domain.
(source: Cross-origin resource sharing)
The Origin request header indicates the origin (scheme, hostname, and port) that caused the request.
(source: Origin)
The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin.
(source Access-Control-Allow-Origin)
A forbidden header name is the name of any HTTP header that cannot be modified programmatically; specifically, an HTTP request header name (in contrast with a Forbidden response header name). Modifying such headers is forbidden because the user agent retains full control over them.
(source: Forbidden header name)