3

Client tries to access http://example.com/token/ but example.com had HSTS header and clients browser redirects (307) to https://example.com/token/ with Origin set to 'null' which is being blocked by CORS, but 'null' cannot be in our allowed cors origin.

The error:

Access to XMLHttpRequest at https://example.com/token/ (redirected from http://example.com/token/) from origin 'null' has been blocked by CORS policy

How can the issue be solved?

Teodor Scorpan
  • 868
  • 1
  • 10
  • 20
  • 2
    `https://example.com` is a different origin than `http://example.com`. And when a request is redirected across origins, the browser sets the origin of the request to null. That behavior is required by the Fetch spec. The browser marks the origin as “tainted” in that case. See https://fetch.spec.whatwg.org/#ref-for-concept-request-tainted-origin%E2%91%A0 and https://stackoverflow.com/q/30193851/441757 and https://stackoverflow.com/a/22625354/441757 – sideshowbarker Mar 28 '19 at 01:21

0 Answers0