IE does not set Origin to null on CORS redirect and yet fails because header is not null

Not reproducible Issue #8680109


Richard M.
Aug 29, 2016
This issue is public.
Found in
  • Internet Explorer
Reported by 9 people

Sign in to watch or report this issue.

Steps to reproduce

We have 3 sites:

When we make CORS request from a to b and b 302’s to c, the Origin is NOT set to null. Instead the origin is set to

And yet the request subsequently fails with:

SEC7120: Origin null not found in Access-Control-Allow-Origin header.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

Well it’s not null because it doesn’t send null as the origin and our server reflects back the origin. If we force our server to send null regardless for Access-Control-Allow-Origin then the we get Access Denied error.

So it seems IE is bugged by sending out the actual origin on a 302 CORS redirect and expecting null back.

If we do :

Then it will send null and everything works. But when all the domains are same it seems to trust them on the request and send the origin, but then tries to compare the access header to the untrusted value of null.


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Ibrahim O.”

    • Thank you for your feedback. We’re not presently working on feature bugs in Internet Explorer outside of security-related issues. Having said that. could you please confirm whether this issue is reproducible in MS Edge or not. If yes, could you please also provide us a repro sample or a link that can demonstrate the issue. This will help us investigate the issue.

      All the best,
      The MS Edge Team

    • Microsoft Edge 38.14393.0.0 has the same issue.

    • Microsoft Edge Team

      Changed Assigned To from “Ibrahim O.” to “James M.”

      Changed Status to “Won’t fix”

      Changed Assigned To to “James M.”

      Changed Status from “Won’t fix” to “Not reproducible”

    • Hello,

      Thank you for providing this information about the issue. Please provide us a repro sample or a link that can demonstrate the issue. This will help us investigate the issue.

      Best Wishes,

      The MS Edge Team

    • Repro steps:

      1. create three virtual hosts named,,
        one way of doing this which I used is:
        a) install xampp
        b) add virtual hosts in xampp\apache\conf\extra\httpd-vhosts.conf
        for example:
        DocumentRoot “C:/xampp/htdocs”
        ##ErrorLog “logs/”
        ##CustomLog “logs/” common

        similarly add virtual hosts for and
        c) add DNS mapping in file C:\Windows\System32\drivers\etc\hosts.
        for example: also map and

      2. Download file from following link:

      3. unzip this file inside server root folder i.e. htdocs.

      4. Now, Test that setup is successfully done or not.
        If,, all three files are accessible then only setup is complete.

      5. Now, hit url in edge browser then click on ‘Run Tests’ button.
        Observe that edge gives console error ‘Origin null not found in Access-Control-Allow-Origin header.’ While it is working fine in other browsers(chrome, firefox etc.)

    • You can also go to and create a backup. If you then restore the backup, you will get the error Origin null not found in Access-Control-Allow-Origin header.

    • Please fix this. This issue is causing Edge and IE to be the only browsers that don’t support video playback outside of Flash when working with a video CMS.

    • I just found this bug in IE11. I guess it was fixed in Edge, as I am not able to reproduce in Edge.

      If IE11 is no longer supported, please officially deprecate it, so that the rest of the world can also officially deprecate it.

    • To clarify, this bug occurs only when changing subdomains. A full redirect to a different host ( to works.

      I guess that the comparison for the request only compares the two rightmost parts of the 301d request and the current request, but does an actual a == b check when analysing the response. Thus it thinks Origin should not be null for the request part, but does think it should be null for the response.

      This is a pretty silly bug that has a really easy fix. Just make it do a == b for the request.

    • George B is correct that Edge 38.14393.0.0 had the same issue. Can you please tell us which version of Edge this was fixed in?

    • I’m encountering this bug in Microsoft Edge 38.14393.1066.0

      • GET
      • This get call returns a 301 redirect to
      • A header in 301 redirect response message: Access-Control-Allow-Origin: *
        • This results in the following errors in Edge:
          • SEC7120: Origin null not found in Access-Control-Allow-Origin header.
          • SCRIPT7002: XMLHttpRequest: Network Error 0x80700013, Could not complete the operation due to error 80700013.
    • I’m encountering this issue as well, with IE 11.285.17134.0. It’s preventing clients from accessing our website, please provide an update.

    • This problem is not difficult to reproduce. Edge is the only major browser that won’t load a user profile picture from the URL provided by the Facebook Graph API. Please make the browser work with Facebook.

    You need to sign in to your Microsoft account to add a comment.

    Sign in