Are there any browsers that set the origin header to “null” for privacy-sensitive contexts?

by

I’ve finally figured out an answer to this. There is at least one other situation where an Origin header may be “null”. When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to “null”. I suppose this is considered a “privacy-sensitive context” because the browser doesn’t want to leak the original origin to the new server, since the client may not have intended to make a request to the new server in the first place.

More Related Contents:

  1. How to resolve ‘preflight is invalid (redirect)’ or ‘redirect is not allowed for a preflight request’
  2. Access-Control-Allow-Origin wildcard subdomains, ports and protocols
  3. What is an opaque response, and what purpose does it serve?
  4. How to enable Cross domain requests on JAX-RS web services?
  5. Adding Access-Control-Allow-Origin header response in Laravel 5.3 Passport
  6. same-origin policy and CORS – what’s the point?
  7. What is the issue CORS is trying to solve?
  8. How to apply CORS preflight cache to an entire domain
  9. Why are CORS requests failing in Microsoft Edge but working in other browsers?
  10. Why is Access-Control-Expose-Headers needed?
  11. Response to preflight request doesn’t pass access control check
  12. AngularJS performs an OPTIONS HTTP request for a cross-origin resource
  13. Handle response – SyntaxError: Unexpected end of input when using mode: ‘no-cors’
  14. What is the motivation behind the introduction of preflight CORS requests?
  15. enabling cross-origin resource sharing on IIS7
  16. IE9 jQuery AJAX with CORS returns “Access is denied”
  17. htaccess Access-Control-Allow-Origin
  18. How to skip the OPTIONS preflight request?
  19. enable cors in .htaccess
  20. 401 response for CORS request in IIS with Windows Auth enabled
  21. Error :Request header field Content-Type is not allowed by Access-Control-Allow-Headers
  22. Standalone Spring OAuth2 JWT Authorization Server + CORS
  23. Set-Cookie on Browser with Ajax Request via CORS
  24. CORS and phonegap apps
  25. CORS: credentials mode is ‘include’
  26. CORS Support within WCF REST Services
  27. Empty body in fetch POST request
  28. Response for preflight has invalid HTTP status code 401 – Spring
  29. .NET Web API CORS PreFlight Request
  30. Can Cross-Origin Resource Sharing headers authorize X-Domain IFRAME access?

Leave a Comment