4

I have an iframe to which the content is injected from the third party library I am using.

<iframe id="targetIframe"></iframe>

The library is injecting a form which user needs to submit. Problem is that when the form is initialized they are doing some requests and header origin is send as a null which is causing a problem because their servers are not allowing null value.

I tried to add sandbox attribute, even tried to fake the call but with origin but the iframe is secured with CORS.

Is there any way to overcome this or it should be the third party library developers responsibility?

This is a request which is being returned as http 302 and I have read that browsers are always sending origin: null for 302. Is that right?

Emilia Heller-Mrotek
  • 195
  • 2
  • 17
  • 3
    Browsers only set the origin to null for redirects (including 302 redirects) in the particular case that the redirect is from a URL at one origin to a URL at a different origin. For other cases where browser set the origin to null, see the answer at https://stackoverflow.com/questions/42239643/when-does-firefox-set-the-origin-header-to-null-in-post-requests/42242802#42242802. If you can’t eliminate that cross-origin redirect, then there’s no way to overcome the origin getting set to null. So yeah in that case it would be the third-party developer’s responsibility (if that’s who’s causing it.) – sideshowbarker Nov 30 '18 at 01:08

0 Answers0