43

The Origin spec indicates that the Origin header may be set to "null". This is typically done when the request is coming from a file on a user's computer rather than from a hosted web page. The spec also states that the Origin may be null if the request comes from a "privacy-sensitive" context.

My questions: What is a "privacy-sensitive" context, and are there any browsers that exhibit this behavior?

Here is the full phrasing from the Origin spec:

Whenever a user agent issues an HTTP request from a "privacy-sensitive" context, the user agent MUST send the value "null" in the Origin header field.

NOTE: This document does not define the notion of a privacy-sensitive context. Applications that generate HTTP requests can designate contexts as privacy-sensitive to impose restrictions on how user agents generate Origin header fields.

Community
  • 1
  • 1
monsur
  • 45,581
  • 16
  • 101
  • 95

4 Answers4

77

I've finally figured out an answer to this. There is at least one other situation where an Origin header may be "null". When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to "null". I suppose this is considered a "privacy-sensitive context" because the browser doesn't want to leak the original origin to the new server, since the client may not have intended to make a request to the new server in the first place.

monsur
  • 45,581
  • 16
  • 101
  • 95
  • 13
    There is no way around this. This makes AJAX-CAS logins impossible. – cweiske May 21 '14 at 11:44
  • 2
    It's almost unbelievable how similar I found your question and thought process to mine. Our team faced an issue with CORS on web during preflighting of a POST request to access Auth headers on web, while not facing any such problems on Android. Which got me thinking why CORS is not applicable to Android. I found out that our Android guys hand't even heard about OPTIONS and CORS. Weird, right? I then went on to read the specs and found ORIGIN section and null string point and then googled if theres a security flaw to exploit null string in CORS. – SLearner Mar 04 '16 at 14:51
  • This is not happening in 'Edge' browser, it actually send the actual 'client' URL originating the request. Ideally the it should be 'null'. A similar issue is filed as bug in Microsoft developer website, which is still open. Ref: https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/8680109/ – arunk2 Apr 25 '17 at 10:10
  • Damn this is annoying. Spent a long time debugging before I found this answer. – A Redfearn Feb 23 '23 at 16:34
5

Check here: https://bugs.chromium.org/p/chromium/issues/detail?id=154967

by strobe@google.com

This behavior is actually in the spec [1]. See section 7.1.7 step 6.

Unfortunately the convention of transmitting the string "null" makes it seem like it could be a bug; I thought so myself until I tracked this down :)

We could probably do a better job of explaining this in the inspector:

http://www.w3.org/TR/cors/#generic-cross-origin-request-algorithms

Unheilig
  • 16,196
  • 193
  • 68
  • 98
user2322292
  • 61
  • 1
  • 2
  • 3
    Upvoted but note that the current spec is at https://fetch.spec.whatwg.org/ and the specific relevant citation is to step 10 of https://fetch.spec.whatwg.org/#http-redirect-fetch, which reads *If CORS flag is set and actualResponse’s location URL’s origin is not same origin with request’s current url’s origin, then set request’s origin to a unique opaque origin*. The “unique opaque origin” means an origin that will get serialized as “null”. http://www.w3.org/TR/cors/ should not be referenced any more, because it’s been obsoleted by https://fetch.spec.whatwg.org/ – sideshowbarker Apr 18 '17 at 00:40
1

I have similar situation, doing redirects in ajax from domain A->B and finally back to A. As origin is null, CORS fails.

On domain A I set Access-Control-Allow-Origin: null, which seems to work, will need to test more.

Viktor D
  • 136
  • 1
  • 7
1

There are a few other cases related to which can cause a null origin: https://webdbg.com/test/sandbox/frames.htm

Eric
  • 6,563
  • 5
  • 42
  • 66