Brrrr Brrrr - 15 days ago 9
Ajax Question

AJAX call following 302 redirect sets origin to null

I'm doing an ajax call From domain A to domain B.

My domain B checks if A is in the list of allowed domains and sets the Access-Control-allow-Origin to domain A. So far, so good.

Domain B responds to the request by sending a 302 redirect to domain C using the Location header.

The ajax call follows the redirect to domain C but has the header: origin null.

I expected the origin header to be set to domain A, after following the redirect.

Can anyone explain to me why the origin is set to null instead of to domain A?

Example

Request from domain A to B

GET / HTTP/1.1
Host: domain-B.com
Origin: http://domain-A.com


Response from domain B :

Access-Control-Allow-Origin: http://domain-A.com
Location: http://domain-C.com


Ajax call follows the redirect to domain C:

GET HTTP/ 1.1
Host: domain-C.com
Origin: null

Answer

See here, this seems to suggest its related to a "privacy-sensitive" context.

Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?