Menu
I'm doing an AJAX call from domain A to domain B.
My domain B checks if A is in the list of allowed domains and sets the Access-Control-allow-Origin to domain A. So far, so good.
Domain B responds to the request by sending a 302 redirect to domain C using the Location header.
The AJAX call follows the redirect to domain C but has the header: Origin: null.
I expected the origin header to be set to domain A, after following the redirect.
Can anyone explain to me why the origin is set to null instead of to domain A?
Example
Request from domain A to B
GET / HTTP/1.1 Host: domain-B.com Origin: http://domain-A.com Response from domain B :
Access-Control-Allow-Origin: http://domain-A.com Location: http://domain-C.com AJAX call follows the redirect to domain C:
GET HTTP/ 1.1 Host: domain-C.com Origin: null 
469
ajax appears to always follow redirects.
The Origin spec indicates that the Origin header may be set to "null". This is typically done when the request is coming from a file on a user's computer rather than from a hosted web page. The spec also states that the Origin may be null if the request comes from a "privacy-sensitive" context.
Unlike 301 pages, 302 redirects are temporary, which means you can switch back at any time.
See here, this seems to suggest its related to a "privacy-sensitive" context.
Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?
93
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
