Security measures#
“null” origin#
“null” origin can be matched only with STR rule kind, this means it must be specifically added to list of policy’s rules. It will fail to match against both PATH and REGEX rules, no matter what. This is to make it clear that this special origin is treated accordingly. The policy enforces some basic restrictions:
credentialed requests are explicitly disallowed
only simple request methods are allowed (
GET,HEAD,POST)only safe headers are allowed
In this specific case all policy settings are overriden by safe settings.
Note
W3C advises against returning null as allowed origin but there are valid use cases when some level of access can be granted. In case this advice should be observed, both preflight and response generation methods accept strict argument, which turns on strict mode that disables CORS headers generation in case of null request origin.