AJAX call following 302 redirect sets origin to null

13,356

See here, this seems to suggest its related to a "privacy-sensitive" context.

Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?

Share:
13,356

Related videos on Youtube

Brrrr
Author by

Brrrr

Hi there!

Updated on June 03, 2022

Comments

  • Brrrr
    Brrrr about 2 years

    I'm doing an AJAX call from domain A to domain B.

    My domain B checks if A is in the list of allowed domains and sets the Access-Control-allow-Origin to domain A. So far, so good.

    Domain B responds to the request by sending a 302 redirect to domain C using the Location header.

    The AJAX call follows the redirect to domain C but has the header: Origin: null.

    I expected the origin header to be set to domain A, after following the redirect.

    Can anyone explain to me why the origin is set to null instead of to domain A?

    Example

    1. Request from domain A to B

      GET / HTTP/1.1
      Host: domain-B.com
      Origin: http://domain-A.com
      
    2. Response from domain B :

      Access-Control-Allow-Origin: http://domain-A.com
      Location: http://domain-C.com
      
    3. AJAX call follows the redirect to domain C:

      GET  HTTP/ 1.1
      Host: domain-C.com
      Origin: null
      
  • Fabien Warniez
    Fabien Warniez almost 7 years
    WOW. That just defeats the purpose of CORS and is incredibly insecure. Please don't do this.
  • Fabien Warniez
    Fabien Warniez over 6 years
    If you do this unconditionally then they're both pretty bad. If you want to support null origins, you need to specifically return null, if you want to support any origin, but not null origins, then wildcard will work. It's best to check what the origin / referrer is first though.