AJAX call following 302 redirect sets origin to null

ajax http redirect cross-domain cors

13,356

See here, this seems to suggest its related to a "privacy-sensitive" context.

Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?

13,356

Related videos on Youtube

Author by

Brrrr

Hi there!

Updated on June 03, 2022

Comments

Brrrr about 2 years
I'm doing an AJAX call from domain A to domain B.

My domain B checks if A is in the list of allowed domains and sets the Access-Control-allow-Origin to domain A. So far, so good.

Domain B responds to the request by sending a 302 redirect to domain C using the Location header.

The AJAX call follows the redirect to domain C but has the header: Origin: null.

I expected the origin header to be set to domain A, after following the redirect.

Can anyone explain to me why the origin is set to null instead of to domain A?

Example
1. Request from domain A to B
```
GET / HTTP/1.1
Host: domain-B.com
Origin: http://domain-A.com
```
2. Response from domain B :
```
Access-Control-Allow-Origin: http://domain-A.com
Location: http://domain-C.com
```
3. AJAX call follows the redirect to domain C:
```
GET  HTTP/ 1.1
Host: domain-C.com
Origin: null
```
- Alessandro over 8 years
  
  Hello, I have a question...how you solved the problem? It is very interessant for all...Did you apply changes side domain A or side domain B? Thanks!
- dur over 6 years
  
  Possible duplicate of Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?
Fabien Warniez almost 7 years

WOW. That just defeats the purpose of CORS and is incredibly insecure. Please don't do this.
Fabien Warniez over 6 years

If you do this unconditionally then they're both pretty bad. If you want to support null origins, you need to specifically return null, if you want to support any origin, but not null origins, then wildcard will work. It's best to check what the origin / referrer is first though.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?

How to troubleshoot crashes detected by Google Play Store for Flutter app

Cupertino DateTime picker interfering with scroll behaviour

Why does awk -F work for most letters, but not for the letter "t"?

Flutter change focus color and icon color but not works

How to print and connect to printer using flutter desktop via usb?

Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0

Flutter Dart - get localized country name from country code

navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage

Android Sdk manager not found- Flutter doctor error

Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)

How to change the color of ElevatedButton when entering text in TextField

Related

Access-Control-Allow-Origin syntax

How to redirect with Flask and jQuery

CORS request failure with jQuery using withCredentials and client certificates

Access-Control-Request-Header: - x-requested-with

How to handle CORS error code?

Cross-domain AJAX request not working

Understanding AJAX CORS and security considerations

CORS request with Preflight and redirect: disallowed. Workarounds?

Best method: Access-Control-Allow-Origin Multiple Origin Domains

Jetty Cross Origin Filter