IE does not set Origin to null on CORS redirect and yet fails because header is not null

Not reproducible Issue #8680109

Details

Author
Richard M.
Created
Aug 29, 2016
Privacy
This issue is public.
Found in
  • Internet Explorer
Reports
Reported by 6 people

Sign in to watch or report this issue.

Steps to reproduce

We have 3 sites:

a.example.com
b.example.com
c.example.com

When we make CORS request from a to b and b 302’s to c, the Origin is NOT set to null. Instead the origin is set to a.example.com.

And yet the request subsequently fails with:

SEC7120: Origin null not found in Access-Control-Allow-Origin header.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

Well it’s not null because it doesn’t send null as the origin and our server reflects back the origin. If we force our server to send null regardless for Access-Control-Allow-Origin then the we get Access Denied error.

So it seems IE is bugged by sending out the actual origin on a 302 CORS redirect and expecting null back.

If we do :

a.somesite.com
b.example.com
c.example.com

Then it will send null and everything works. But when all the domains are same it seems to trust them on the request and send the origin, but then tries to compare the access header to the untrusted value of null.

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Ibrahim O.”

    • Thank you for your feedback. We’re not presently working on feature bugs in Internet Explorer outside of security-related issues. Having said that. could you please confirm whether this issue is reproducible in MS Edge or not. If yes, could you please also provide us a repro sample or a link that can demonstrate the issue. This will help us investigate the issue.

      All the best,
      The MS Edge Team

    • Microsoft Edge 38.14393.0.0 has the same issue.

    • Microsoft Edge Team

      Changed Assigned To from “Ibrahim O.” to “James M.”

      Changed Status to “Won’t fix”

      Changed Assigned To to “James M.”

      Changed Status from “Won’t fix” to “Not reproducible”

    • Hello,

      Thank you for providing this information about the issue. Please provide us a repro sample or a link that can demonstrate the issue. This will help us investigate the issue.

      Best Wishes,

      The MS Edge Team

    • Repro steps:

      1. create three virtual hosts named a.example.com, b.example.com, c.example.com
        one way of doing this which I used is:
        a) install xampp
        b) add virtual hosts in xampp\apache\conf\extra\httpd-vhosts.conf
        for example:
        ##ServerAdmin webmaster@dummy-host.example.com
        DocumentRoot “C:/xampp/htdocs”
        ServerName a.example.com
        ##ServerAlias www.dummy-host.example.com
        ##ErrorLog “logs/dummy-host.example.com-error.log”
        ##CustomLog “logs/dummy-host.example.com-access.log” common

        similarly add virtual hosts for b.example.com and c.example.com
        c) add DNS mapping in file C:\Windows\System32\drivers\etc\hosts.
        for example: 127.0.0.1 a.example.com. also map b.example.com and c.example.com
        to 127.0.0.1

      2. Download IEBug.zip file from following link:
        https://www.dropbox.com/s/4udyeyxymffqfob/IEBug.zip?dl=0

      3. unzip this file inside server root folder i.e. htdocs.

      4. Now, Test that setup is successfully done or not.
        If a.example.com/IEBug/index.html, b.example.com/IEBug/first.php, c.example.com/IEBug/second.php all three files are accessible then only setup is complete.

      5. Now, hit url a.example.com/IEBug/index.html in edge browser then click on ‘Run Tests’ button.
        Observe that edge gives console error ‘Origin null not found in Access-Control-Allow-Origin header.’ While it is working fine in other browsers(chrome, firefox etc.)

    • You can also go to and create a backup. If you then restore the backup, you will get the error Origin null not found in Access-Control-Allow-Origin header.

    • Please fix this. This issue is causing Edge and IE to be the only browsers that don’t support video playback outside of Flash when working with a video CMS.

    • I just found this bug in IE11. I guess it was fixed in Edge, as I am not able to reproduce in Edge.

      If IE11 is no longer supported, please officially deprecate it, so that the rest of the world can also officially deprecate it.

    • To clarify, this bug occurs only when changing subdomains. A full redirect to a different host (example-1.com to example-2.com) works.

      I guess that the comparison for the request only compares the two rightmost parts of the 301d request and the current request, but does an actual a == b check when analysing the response. Thus it thinks Origin should not be null for the request part, but does think it should be null for the response.

      This is a pretty silly bug that has a really easy fix. Just make it do a == b for the request.

    • George B is correct that Edge 38.14393.0.0 had the same issue. Can you please tell us which version of Edge this was fixed in?

    You need to sign in to your Microsoft account to add a comment.

    Sign in