Steps to reproduce
We have 3 sites:
When we make CORS request from a to b and b 302’s to c, the Origin is NOT set to null. Instead the origin is set to a.example.com.
And yet the request subsequently fails with:
SEC7120: Origin null not found in Access-Control-Allow-Origin header.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.
Well it’s not null because it doesn’t send null as the origin and our server reflects back the origin. If we force our server to send null regardless for Access-Control-Allow-Origin then the we get Access Denied error.
So it seems IE is bugged by sending out the actual origin on a 302 CORS redirect and expecting null back.
If we do :
Then it will send null and everything works. But when all the domains are same it seems to trust them on the request and send the origin, but then tries to compare the access header to the untrusted value of null.
Comments and activity
- Microsoft Edge Team
Changed Assigned To to “Ibrahim O.”
Thank you for your feedback. We’re not presently working on feature bugs in Internet Explorer outside of security-related issues. Having said that. could you please confirm whether this issue is reproducible in MS Edge or not. If yes, could you please also provide us a repro sample or a link that can demonstrate the issue. This will help us investigate the issue.
All the best,
The MS Edge Team
Microsoft Edge 38.14393.0.0 has the same issue.
- Microsoft Edge Team
Changed Assigned To from “Ibrahim O.” to “James M.”
Changed Status to “Won’t fix”
Changed Assigned To to “James M.”
Changed Status from “Won’t fix” to “Not reproducible”
Thank you for providing this information about the issue. Please provide us a repro sample or a link that can demonstrate the issue. This will help us investigate the issue.
The MS Edge Team
create three virtual hosts named a.example.com, b.example.com, c.example.com
one way of doing this which I used is:
a) install xampp
b) add virtual hosts in xampp\apache\conf\extra\httpd-vhosts.conf
##CustomLog “logs/dummy-host.example.com-access.log” common
similarly add virtual hosts for b.example.com and c.example.com
c) add DNS mapping in file C:\Windows\System32\drivers\etc\hosts.
for example: 127.0.0.1 a.example.com. also map b.example.com and c.example.com
Download IEBug.zip file from following link:
unzip this file inside server root folder i.e. htdocs.
Now, Test that setup is successfully done or not.
If a.example.com/IEBug/index.html, b.example.com/IEBug/first.php, c.example.com/IEBug/second.php all three files are accessible then only setup is complete.
Now, hit url a.example.com/IEBug/index.html in edge browser then click on ‘Run Tests’ button.
Observe that edge gives console error ‘Origin null not found in Access-Control-Allow-Origin header.’ While it is working fine in other browsers(chrome, firefox etc.)
You can also go to and create a backup. If you then restore the backup, you will get the error
Origin null not found in Access-Control-Allow-Origin header.
You can also go to http://shopadoo.styrit.com/#/Settings
Please fix this. This issue is causing Edge and IE to be the only browsers that don’t support video playback outside of Flash when working with a video CMS.
I just found this bug in IE11. I guess it was fixed in Edge, as I am not able to reproduce in Edge.
If IE11 is no longer supported, please officially deprecate it, so that the rest of the world can also officially deprecate it.
To clarify, this bug occurs only when changing subdomains. A full redirect to a different host (
I guess that the comparison for the request only compares the two rightmost parts of the 301d request and the current request, but does an actual a == b check when analysing the response. Thus it thinks
Originshould not be null for the request part, but does think it should be null for the response.
This is a pretty silly bug that has a really easy fix. Just make it do a == b for the request.
George B is correct that Edge 38.14393.0.0 had the same issue. Can you please tell us which version of Edge this was fixed in?