Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
532 views
in Technique[技术] by (71.8m points)

cors - Are there any browsers that set the origin header to "null" for privacy-sensitive contexts?

The Origin spec indicates that the Origin header may be set to "null". This is typically done when the request is coming from a file on a user's computer rather than from a hosted web page. The spec also states that the Origin may be null if the request comes from a "privacy-sensitive" context.

My questions: What is a "privacy-sensitive" context, and are there any browsers that exhibit this behavior?

Here is the full phrasing from the Origin spec:

Whenever a user agent issues an HTTP request from a "privacy-sensitive" context, the user agent MUST send the value "null" in the Origin header field.

NOTE: This document does not define the notion of a privacy-sensitive context. Applications that generate HTTP requests can designate contexts as privacy-sensitive to impose restrictions on how user agents generate Origin header fields.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I've finally figured out an answer to this. There is at least one other situation where an Origin header may be "null". When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin header will be changed to "null". I suppose this is considered a "privacy-sensitive context" because the browser doesn't want to leak the original origin to the new server, since the client may not have intended to make a request to the new server in the first place.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...