3

We have micro-service that allows CORS using the Access-Control-Allow-Origin. It works fine. However we have a complicated setup:

subdomain-A.welt.de has an iFrame that points to subdomain-B.welt.de. subdomain-B.welt.de calls the micro-service (somewhere else) via XHR and requires CORS.

Within that iFrame, and only there, subdomain-B.welt.de sends null as Origin-header for every XHR-request.

I am not absolutely certain on what's the cause of this and in my research I stumbled upon document.domain, but as I am uncertain I don't know if that is something to consider (or the right way to fix whatever is happening here).

Lukas
  • 9,752
  • 15
  • 76
  • 120
  • This may be due either to an iframe’s `sandbox` value not containing `allow-same-origin` (see https://stackoverflow.com/a/44765536/441757) or due to a request getting redirected from a URL at one origin to one at a different origin (see https://stackoverflow.com/questions/53549369/iframe-sends-origin-as-null#comment93966138_53549369). For both cases, browsers set the origin to null. To fix: add `allow-same-origin` to the `sandbox` value, or eliminate the cross-origin redirect. For other cases where browsers set the origin to null, see the answer at https://stackoverflow.com/a/42242802/441757. – sideshowbarker Nov 21 '19 at 01:37

0 Answers0