Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?

cors

The Origin spec indicates that the Origin header may be set to "null". This is typically done when the request is coming from a file on a user's computer rather than from a hosted web page. The spec also states that the Origin may be null if the request comes from a "privacy-sensitive" context.

My questions: What is a "privacy-sensitive" context, and are there any browsers that exhibit this behavior?

Here is the full phrasing from the Origin spec:

Whenever a user agent issues an HTTP request from a "privacy-sensitive" context, the user agent MUST send the value "null" in the Origin header field.

NOTE: This document does not define the notion of a privacy-sensitive context. Applications that generate HTTP requests can designate contexts as privacy-sensitive to impose restrictions on how user agents generate Origin header fields.


I've finally figured out an answer to this. There is at least one other situation where an Origin header may be "null". When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to "null". I suppose this is considered a "privacy-sensitive context" because the browser doesn't want to leak the original origin to the new server, since the client may not have intended to make a request to the new server in the first place.


Check here: https://bugs.chromium.org/p/chromium/issues/detail?id=154967

by [email protected]

This behavior is actually in the spec [1]. See section 7.1.7 step 6.

Unfortunately the convention of transmitting the string "null" makes it seem like it could be a bug; I thought so myself until I tracked this down :)

We could probably do a better job of explaining this in the inspector:

http://www.w3.org/TR/cors/#generic-cross-origin-request-algorithms


I have similar situation, doing redirects in ajax from domain A->B and finally back to A. As origin is null, CORS fails.

On domain A I set Access-Control-Allow-Origin: null, which seems to work, will need to test more.


There are a few other cases related to iframe which can cause a null origin: https://webdbg.com/test/sandbox/frames.htm

Related

SSH connection with Java
Setting multiple SMTP settings in web.config?
How do task killers work?
Can I earn achievements in Civilisation 6 with changed settings?
Your promise to the French empire to stop converting cities has been broken
Why is there a baby crying in Bloodborne?
Do pets left alone on a level continue fighting in your absence?
I have no religion, I'm beating a civ about to get a religious victory in combat - how am I able to hamper their religion?
How to find crashed ships fast after Foundations?
What should I do with amulet of Talos?
Wii U disc drive spitting out disk after making noises
How can I find the non-family games in my Steam library?