607 B
607 B
We need Origin, because sometimes Referer is absent. For instance, when we fetch HTTP-page from HTTPS (access less secure from more secure), then there's no Referer.
The Content Security Policy may forbid sending a Referer.
As we'll see, fetch also has options that prevent sending the Referer and even allow to change it (within the same site).
By specification, Referer is an optional HTTP-header.
Exactly because Referer is unreliable, Origin was invented. The browser guarantees correct Origin for cross-origin requests.