Skip to main content

Request Header Originated With

Document Type Expired Internet-Draft (individual)
Author Noman Riffat
Last updated 2019-06-23 (Latest revision 2018-12-20)
Stream (None)
Intended RFC status (None)
Expired & archived
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document proposes a new Request Header that must be initiated every time a user-agent sends XMLHttpRequest. The aim of this header is to limit the possibilities of XSS to RCE and preventing Javascript from stealing CSRF tokens on other URLs of same domain. This will allow developers to block request if it wasn't supposed to be sent via XMLHttpRequest.


Noman Riffat

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)