How reliable is origin or referrer in this case?

Hi all,
I want to be able to verify that the domain (SiteA_com see below) matches some data before returning JSON.

My worker returns JSON called by a static js file (i.e. loader_com/script.js). I want to find the original webpage URL that is calling the worker. How reliable is using Request.headers.get(‘Referrer’) or ‘Origin’ in the Worker to get “SiteA_com”?

SiteA_com has <script src="loader_com/script.js"> in which the script does an xhr GET to my Cloudflare worker_com/api/somefunction to return JSON.

Not very - you can set/intercept headers, but it depends on the security model for this data.

If you just want to do a best-effort to prevent other sites from using it directly, implement CORS: Cross-Origin Resource Sharing (CORS) - HTTP | MDN. If you just want to verify, “is the script embedded in this allowlisted set of domains”, then a referer approach is fine. Or if it’s really something you need to protect, put it behind some kind of authentication.