IE does not set Origin to null on CORS redirect and yet fails because header is not null

Won’t fix Issue #8680109


Richard M.
Aug 29, 2016
This issue is public.
Found in
  • Internet Explorer
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

We have 3 sites:

When we make CORS request from a to b and b 302’s to c, the Origin is NOT set to null. Instead the origin is set to

And yet the request subsequently fails with:

SEC7120: Origin null not found in Access-Control-Allow-Origin header.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

Well it’s not null because it doesn’t send null as the origin and our server reflects back the origin. If we force our server to send null regardless for Access-Control-Allow-Origin then the we get Access Denied error.

So it seems IE is bugged by sending out the actual origin on a 302 CORS redirect and expecting null back.

If we do :

Then it will send null and everything works. But when all the domains are same it seems to trust them on the request and send the origin, but then tries to compare the access header to the untrusted value of null.


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Ibrahim O.”

    • Thank you for your feedback. We’re not presently working on feature bugs in Internet Explorer outside of security-related issues. Having said that. could you please confirm whether this issue is reproducible in MS Edge or not. If yes, could you please also provide us a repro sample or a link that can demonstrate the issue. This will help us investigate the issue.

      All the best,
      The MS Edge Team

    • Microsoft Edge 38.14393.0.0 has the same issue.

    • Microsoft Edge Team

      Changed Assigned To from “Ibrahim O.” to “James M.”

      Changed Status to “Won’t fix”

    You need to sign in to your Microsoft account to add a comment.

    Sign in