Are there any browsers that set the origin header to “null” for privacy-sensitive contexts?

Question

The Origin spec indicates that the Origin header may be set to \"null\". This is typically done when the request is coming from a file on a user\'s computer rat

Answer 1

I've finally figured out an answer to this. There is at least one other situation where an Origin header may be "null". When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to "null". I suppose this is considered a "privacy-sensitive context" because the browser doesn't want to leak the original origin to the new server, since the client may not have intended to make a request to the new server in the first place.

Answer 2

Check here: https://bugs.chromium.org/p/chromium/issues/detail?id=154967

by strobe@google.com

This behavior is actually in the spec [1]. See section 7.1.7 step 6.

Unfortunately the convention of transmitting the string "null" makes it seem like it could be a bug; I thought so myself until I tracked this down :)

We could probably do a better job of explaining this in the inspector:

http://www.w3.org/TR/cors/#generic-cross-origin-request-algorithms

Answer 3

I have similar situation, doing redirects in ajax from domain A->B and finally back to A. As origin is null, CORS fails.

On domain A I set Access-Control-Allow-Origin: null, which seems to work, will need to test more.

Answer 4

There are a few other cases related to iframe which can cause a null origin: https://webdbg.com/test/sandbox/frames.htm