IE does not set Origin to null on CORS redirect and yet fails because header is not null

Not reproducible Issue #8680109


Richard M.
Aug 29, 2016
This issue is public.
Found in
  • Internet Explorer
Reported by 5 people

Sign in to watch or report this issue.

Steps to reproduce

We have 3 sites:

When we make CORS request from a to b and b 302’s to c, the Origin is NOT set to null. Instead the origin is set to

And yet the request subsequently fails with:

SEC7120: Origin null not found in Access-Control-Allow-Origin header.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

Well it’s not null because it doesn’t send null as the origin and our server reflects back the origin. If we force our server to send null regardless for Access-Control-Allow-Origin then the we get Access Denied error.

So it seems IE is bugged by sending out the actual origin on a 302 CORS redirect and expecting null back.

If we do :

Then it will send null and everything works. But when all the domains are same it seems to trust them on the request and send the origin, but then tries to compare the access header to the untrusted value of null.


0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Ibrahim O.”

    • Thank you for your feedback. We’re not presently working on feature bugs in Internet Explorer outside of security-related issues. Having said that. could you please confirm whether this issue is reproducible in MS Edge or not. If yes, could you please also provide us a repro sample or a link that can demonstrate the issue. This will help us investigate the issue.

      All the best,
      The MS Edge Team

    • Microsoft Edge 38.14393.0.0 has the same issue.

    • Microsoft Edge Team

      Changed Assigned To from “Ibrahim O.” to “James M.”

      Changed Status to “Won’t fix”

      Changed Assigned To to “James M.”

      Changed Status from “Won’t fix” to “Not reproducible”

    • Hello,

      Thank you for providing this information about the issue. Please provide us a repro sample or a link that can demonstrate the issue. This will help us investigate the issue.

      Best Wishes,

      The MS Edge Team

    • Repro steps:

      1. create three virtual hosts named,,
        one way of doing this which I used is:
        a) install xampp
        b) add virtual hosts in xampp\apache\conf\extra\httpd-vhosts.conf
        for example:
        DocumentRoot “C:/xampp/htdocs”
        ##ErrorLog “logs/”
        ##CustomLog “logs/” common

        similarly add virtual hosts for and
        c) add DNS mapping in file C:\Windows\System32\drivers\etc\hosts.
        for example: also map and

      2. Download file from following link:

      3. unzip this file inside server root folder i.e. htdocs.

      4. Now, Test that setup is successfully done or not.
        If,, all three files are accessible then only setup is complete.

      5. Now, hit url in edge browser then click on ‘Run Tests’ button.
        Observe that edge gives console error ‘Origin null not found in Access-Control-Allow-Origin header.’ While it is working fine in other browsers(chrome, firefox etc.)

    • You can also go to and create a backup. If you then restore the backup, you will get the error Origin null not found in Access-Control-Allow-Origin header.

    • Please fix this. This issue is causing Edge and IE to be the only browsers that don’t support video playback outside of Flash when working with a video CMS.

    You need to sign in to your Microsoft account to add a comment.

    Sign in