AJAX call following 302 redirect sets origin to null
See here, this seems to suggest its related to a "privacy-sensitive" context.
Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?
Related videos on Youtube
Comments
-
Brrrr about 2 years
I'm doing an AJAX call from domain A to domain B.
My domain B checks if A is in the list of allowed domains and sets the
Access-Control-allow-Origin
to domain A. So far, so good.Domain B responds to the request by sending a 302 redirect to domain C using the
Location
header.The AJAX call follows the redirect to domain C but has the header:
Origin: null
.I expected the
origin
header to be set to domain A, after following the redirect.Can anyone explain to me why the origin is set to
null
instead of to domain A?Example
Request from domain A to B
GET / HTTP/1.1 Host: domain-B.com Origin: http://domain-A.com
Response from domain B :
Access-Control-Allow-Origin: http://domain-A.com Location: http://domain-C.com
AJAX call follows the redirect to domain C:
GET HTTP/ 1.1 Host: domain-C.com Origin: null
-
Alessandro over 8 yearsHello, I have a question...how you solved the problem? It is very interessant for all...Did you apply changes side domain A or side domain B? Thanks!
-
dur over 6 years
-
Fabien Warniez almost 7 yearsWOW. That just defeats the purpose of CORS and is incredibly insecure. Please don't do this.
-
Fabien Warniez over 6 yearsIf you do this unconditionally then they're both pretty bad. If you want to support null origins, you need to specifically return null, if you want to support any origin, but not null origins, then wildcard will work. It's best to check what the origin / referrer is first though.