Closed moee closed 8 years ago
null
is a valid and expected value for the Access-Control-Allow-Origin
header [1]. To the best of my understanding, returning null
is the proper way to respond to this request. The flow chart [2] indicates that an invalid origin does not make the request an invalid CORS request. Therefore, it should respond as a CORS request and list the domains that are allowed or null
if there are none or the server doesn't want to say. This provider is designed not to give any information about allowed domains as a security measure, so requests from invalid domains always receive null
.
[1] https://www.w3.org/TR/cors/#access-control-allow-origin-response-header [2] http://www.html5rocks.com/static/images/cors_server_flowchart.png
That makes perfects sense then, I wasn't aware that this is the valid behavior. Thanks for the explanation.
Reproduction
curl -X GET -H "Origin: http://bar.com" -I http://api
Expected result
No Access-Control-Allow-Origin is sent at all
Actual result
Access-Control-Allow-Origin is set to
null
Remarks
There is a test that explicitly tests for this behavior. Therefore I'm not sure if this is intentional or not.