Login/Register
Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?
Asked Answered
Solved cors
J

4

45

The Origin spec indicates that the Origin header may be set to "null". This is typically done when the request is coming from a file on a user's computer rather than from a hosted web page. The spec also states that the Origin may be null if the request comes from a "privacy-sensitive" context.

My questions: What is a "privacy-sensitive" context, and are there any browsers that exhibit this behavior?

Here is the full phrasing from the Origin spec:

Whenever a user agent issues an HTTP request from a "privacy-sensitive" context, the user agent MUST send the value "null" in the Origin header field.

NOTE: This document does not define the notion of a privacy-sensitive context. Applications that generate HTTP requests can designate contexts as privacy-sensitive to impose restrictions on how user agents generate Origin header fields.

Jonniejonny answered 14/3, 2014 at 5:42 Comment(0)
J
83

I've finally figured out an answer to this. There is at least one other situation where an Origin header may be "null". When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to "null". I suppose this is considered a "privacy-sensitive context" because the browser doesn't want to leak the original origin to the new server, since the client may not have intended to make a request to the new server in the first place.

Jonniejonny answered 25/3, 2014 at 4:17 Comment(4)
There is no way around this. This makes AJAX-CAS logins impossible.Villain
It's almost unbelievable how similar I found your question and thought process to mine. Our team faced an issue with CORS on web during preflighting of a POST request to access Auth headers on web, while not facing any such problems on Android. Which got me thinking why CORS is not applicable to Android. I found out that our Android guys hand't even heard about OPTIONS and CORS. Weird, right? I then went on to read the specs and found ORIGIN section and null string point and then googled if theres a security flaw to exploit null string in CORS.Lard
This is not happening in 'Edge' browser, it actually send the actual 'client' URL originating the request. Ideally the it should be 'null'. A similar issue is filed as bug in Microsoft developer website, which is still open. Ref: developer.microsoft.com/en-us/microsoft-edge/platform/issues/…Guaco
Damn this is annoying. Spent a long time debugging before I found this answer.Diabetic
O
5

Check here: https://bugs.chromium.org/p/chromium/issues/detail?id=154967

by [email protected]

This behavior is actually in the spec [1]. See section 7.1.7 step 6.

Unfortunately the convention of transmitting the string "null" makes it seem like it could be a bug; I thought so myself until I tracked this down :)

We could probably do a better job of explaining this in the inspector:

http://www.w3.org/TR/cors/#generic-cross-origin-request-algorithms

Osullivan answered 18/4, 2017 at 0:3 Comment(1)
Upvoted but note that the current spec is at fetch.spec.whatwg.org and the specific relevant citation is to step 10 of fetch.spec.whatwg.org/#http-redirect-fetch, which reads If CORS flag is set and actualResponse’s location URL’s origin is not same origin with request’s current url’s origin, then set request’s origin to a unique opaque origin. The “unique opaque origin” means an origin that will get serialized as “null”. w3.org/TR/cors should not be referenced any more, because it’s been obsoleted by fetch.spec.whatwg.orgPlausible
C
1

There are a few other cases related to which can cause a null origin: https://webdbg.com/test/sandbox/frames.htm

Collimator answered 14/8, 2020 at 20:0 Comment(1)
See also https://mcmap.net/q/18432/-when-do-browsers-send-the-origin-header-when-do-browsers-set-the-origin-to-null for details about what the relevant spec requirePlausible
G
0

I have similar situation, doing redirects in ajax from domain A->B and finally back to A. As origin is null, CORS fails.

On domain A I set Access-Control-Allow-Origin: null, which seems to work, will need to test more.

Gondi answered 24/11, 2016 at 10:58 Comment(1)
That defeats the purpose of Access-Control-Allow-Origin, please don't do thatHamlett

© 2022 - 2024 — McMap. All rights reserved.