Skip to content

Instantly share code, notes, and snippets.

@LanZeroth

LanZeroth/null-origin-exp.md

Last active January 14, 2025 09:46
Show Gist options
  • Save LanZeroth/2b42d11a36b07adaa5b746828ba67303 to your computer and use it in GitHub Desktop.
Save LanZeroth/2b42d11a36b07adaa5b746828ba67303 to your computer and use it in GitHub Desktop.
Download ZIP
Explanation of null Origin Header in Various Situations
Raw
null-origin-exp.md

The Origin header in HTTP requests indicates the origin (protocol, host, and port) of the initiating request. However, there are certain situations where the value of this header is set to null. Here's an explanation of the scenarios:

  1. Cross-Origin Redirects

    When a request follows a redirect from a cross-origin domain, the browser may not have a clear origin to attach to the subsequent request. Example: Request is initiated from https://site-a.com and redirects to https://site-b.com. In some cases, after the redirection, the Origin header is set to null to indicate that the origin information is not forwarded.

  2. Requests from Serialized Data

    When a request is generated from serialized data (e.g., using APIs like Blob, FileReader, or DataTransfer), the browser sets the Origin to null. This is because serialized data may not have a clear, associated origin. Example: A user creates a Blob URL and makes a fetch request using this URL. The Origin header in the request might be null.

  3. Request Using the file: Protocol

    When a request is initiated from a local file, served through the file: protocol, there is no origin like http or https to attach. The Origin header is set to null to indicate that the request comes from a local source. Example: Opening an HTML file directly from your local file system (e.g., file:///path/to/file.html) and making a network request from the script in that file.

  4. Sandboxed Cross-Origin Requests

    If a web page is opened in a sandboxed iframe with the sandbox attribute set, the browser restricts its ability to include origin details in requests for security reasons. The Origin header is set to null to prevent the iframe from identifying itself to the server. Example:

    <iframe src="https://example.com" sandbox></iframe>

    Any request initiated by the content of this iframe may have an Origin header with the value null.

Security Implications

The null origin value can be misused if not handled properly. For example:

Access Control Vulnerabilities: If an application trusts requests with a null origin without proper validation, it could allow unauthorized access to restricted resources.

Mitigation

Avoid Whitelisting null Origin: Only allow null origins if absolutely necessary and only for resources that are safe to expose publicly.
Validate Incoming Requests: Implement strict validation rules for incoming requests, especially those with null origins.
Use CORS Policies Wisely: Configure Cross-Origin Resource Sharing (CORS) policies to restrict access to trusted origins.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment