The definition of the Origin header says:
origin-or-null = origin / %s"null" ; case-sensitive
Is "null" to be managed like a domain name? In other words, can the server accept requests when "null" was used (at least in some circumstances) or is it considered like a fault all the time?
I've looked for an explanation in the Fetch Documentation but so far I've not found an answer to this specific question.
By sending an Origin: null header, a browser is indicating the request is from an opaque origin. That is, the browser is signaling to you as a server maintainer that the request wasn’t initiated in a typical way from an app actually running on the web and using an Ajax method or Fetch or XHR to call your server — so it’s probably not a use case which you actually intend your service to support.
So you generally don’t want to send the Access-Control-Allow-Origin response header when responding to Origin: null requests. In other words, you want browsers to block any frontend JavaScript code from access to the response you send back for such requests.
While the most-common case when browsers set the Origin header to null is probably when frontend code is being run from somebody’s local filesystem (from a file:// URL, instead of from a Web server) — there are a number of other cases where browsers also set the Origin header to null. For an exhaustive list, see https://stackoverflow.com/a/42242802/441757.
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null has an explanation of how you should look at such cases:
It may seem safe to return
Access-Control-Allow-Origin: "null", but the serialization of the Origin of any resource that uses a non-hierarchical scheme (such asdata:orfile:) and sandboxed documents is defined to be "null". Many User Agents will grant such documents access to a response with anAccess-Control-Allow-Origin: "null"header, and any origin can create a hostile document with a "null" Origin. The "null" value for the ACAO header should therefore be avoided.
In other words, you may think it’d be useful to send back Access-Control-Allow-Origin for Origin: null requests if you intentionally want to allow responses from your server to be consumed in frontend JavaScript code running on somebody’s local filesystem (e.g., for somebody doing local testing). But by doing that, you’d not be allowing just the local-filesystem case but also all the other cases described in https://stackoverflow.com/a/42242802/441757. It’s all or nothing.
