Are there any browsers that set the origin header to “null” for privacy-sensitive contexts?

Question

The Origin spec indicates that the Origin header may be set to \"null\". This is typically done when the request is coming from a file on a user\'s computer rat

Answer 1

Check here: https://bugs.chromium.org/p/chromium/issues/detail?id=154967

by strobe@google.com

This behavior is actually in the spec [1]. See section 7.1.7 step 6.

Unfortunately the convention of transmitting the string "null" makes it seem like it could be a bug; I thought so myself until I tracked this down :)

We could probably do a better job of explaining this in the inspector:

http://www.w3.org/TR/cors/#generic-cross-origin-request-algorithms