Are there any browsers that set the origin header to “null” for privacy-sensitive contexts?

Question

The Origin spec indicates that the Origin header may be set to \"null\". This is typically done when the request is coming from a file on a user\'s computer rat

Answer 1

I have similar situation, doing redirects in ajax from domain A->B and finally back to A. As origin is null, CORS fails.

On domain A I set Access-Control-Allow-Origin: null, which seems to work, will need to test more.