Return to Answer

• When browsers must internally set an origin to a value that’ll get serialized as null
• When browsers must send the Origin header

When browsers must set origin to a value that’ll get serialized as null

In other words everywhere the HTML spec says opaque origin, you can translate that to null.

The Fetch spec requires browsers to set the origin to a “globally unique identifier” (which basically means the same thing as “opaque origin” which basically means null…) in one case:

9. For blob: URLs
10. For file: URLs
11. For any other URLs whose scheme is not one of http, https, ftp, ws, wss, or gopher.

Browsers send the Origin header for cross-origin requests initiated by a fetch() or XHR call, or by an ajax method from a JavaScript library (axios, jQuery, etc.) — but not for normal page navigations (that is, when you open a web page directly in a browser), and not (normally) for resources embedded in a web page (for example, not for CSS stylesheets, scripts, or images).

But that description is a simplification. There are cases other than cross-origin XHR/fetch/ajax calls when browsers send the Origin header, and cases when browsers send the Origin header for embedded resources. So what follows below is the longer answer.

In terms of the spec requirements: The spec requires the Origin header to be sent only for any request which the Fetch spec defines as a CORS request:

When HTML form elements initiate POST requests, the mode for those POSTs also defaults to no-cors — in the same way that embedded resources have their mode defaulted to no-cors. However, unlike the no-cors mode GET requests for embedded resources, browsers do send the Origin header for those no-cors mode POSTs initiated from HTML form elements.

Also, for completeness here and to be clear: For navigations, browsers send no Origin header. That is, if a user navigates directly to a resource — by pasting a URL into a browser address bar, or by following a link from another web document — then browsers send no Origin header.

• When browsers must internally set an origin to a value that gets serialized as null
• When browsers must send the Origin header

When browsers must set origin to a value that gets serialized as null

In other words, everywhere the HTML spec says opaque origin, you can translate it to null.

The Fetch spec requires browsers to set the origin to a “globally unique identifier” (essentially the same thing as “opaque origin”, which basically means null…) in one case:

9. blob: URLs
10. file: URLs
11. any other URLs whose scheme is not one of http, https, ftp, ws, wss, or gopher

Browsers send the Origin header for WebSocket requests and for cross-origin requests initiated by a fetch() or XHR call, or by an ajax method from a JavaScript library (axios, jQuery, etc.) — but not for normal page navigations (that is, when you open a web page directly in a browser), and not (normally) for resources embedded in a web page (for example, not for CSS stylesheets, scripts, or images).

But that’s a simplification. There are cases other than WebSocket requests and cross-origin XHR/fetch/ajax calls when browsers send the Origin header, and cases when browsers send the Origin header for embedded resources. So what follows below is the longer answer.

In terms of spec requirements: The spec requires the Origin header to always be sent for WebSocket requests and for any request which the Fetch spec defines as a CORS request:

When HTML form elements initiate POST requests, the mode for those POSTs also defaults to no-cors — in the same way embedded resources have their mode defaulted to no-cors. However, unlike the no-cors mode GET requests for embedded resources, browsers do send the Origin header for those no-cors mode POSTs initiated from HTML form elements.

Also, for completeness and to be clear: For navigations, browsers send no Origin header. That is, if a user navigates directly to a resource — by pasting a URL into an address bar, or by following a link from another web document — then browsers send no Origin header.

As far as what the relevant specs actually require, the answer can be divided into a couple parts:

The HTML spec requires browsers to set an opaque origin or unique origin in the following cases:

But it’s important to understand that just because the browser has internally set an opaque origin—essentially null—that doesn’t necessarily mean the browser will send an Origin header. So see the next part of this answer for details about when browsers must send the Origin header.

Basically, browsers send the Origin header for cross-origin requests initiated by a fetch() or XHR call, or by an ajax method from a JavaScript library (axios, jQuery, etc.) — but not for normal page navigations (that is, when you open a web page directly in a browser), and not (normally) for resources embedded in a web page (for example, not for CSS stylesheets, scripts, or images).

Font requests always have the request mode set to cors and so always have the Origin header.

For HTML form elements which initiate POST requests, the mode for those POST requests also defaults to no-cors — in the same way that embedded resources have their mode defaulted to no-cors. However, unlike the no-cors mode GET requests for embedded resources, browsers do send the Origin header for those no-cors mode POST requests initiated from HTML form elements.

Also, for completeness here and to be clear: For navigations, browsers send no Origin header. That is, if a user navigates directly to a resource — but pasting a URL into a browser address bar, or by following a link from another web document — then browsers send no Origin header.

＊ _{The actual algorithm in the Fetch spec that requires browsers to send the Origin header for all CORS requests is this:}

_{So the Firefox behavior the question describes is what the spec previously required, not what the spec currently requires.}

As far as what the relevant specs actually require, the answer has a couple parts:

The HTML spec requires browsers to set an opaque origin or unique origin in these cases:

But note that just because the browser has internally set an opaque origin—essentially null—that doesn’t necessarily mean the browser will send an Origin header. So see the next part of this answer for details about when browsers must send the Origin header.

Browsers send the Origin header for cross-origin requests initiated by a fetch() or XHR call, or by an ajax method from a JavaScript library (axios, jQuery, etc.) — but not for normal page navigations (that is, when you open a web page directly in a browser), and not (normally) for resources embedded in a web page (for example, not for CSS stylesheets, scripts, or images).

Font requests always have the mode set to cors and so always have the Origin header.

When HTML form elements initiate POST requests, the mode for those POSTs also defaults to no-cors — in the same way that embedded resources have their mode defaulted to no-cors. However, unlike the no-cors mode GET requests for embedded resources, browsers do send the Origin header for those no-cors mode POSTs initiated from HTML form elements.

Also, for completeness here and to be clear: For navigations, browsers send no Origin header. That is, if a user navigates directly to a resource — by pasting a URL into a browser address bar, or by following a link from another web document — then browsers send no Origin header.

＊ _{The algorithm in the Fetch spec that requires browsers to send the Origin header for all CORS requests is this:}

_{So the Firefox behavior the question describes is what the spec previously required, not what it currently requires.}

A CORS request is an HTTP request that includes an Origin header. It cannot be reliably identified as participating in the CORS protocol as the Origin header is also included for all requests whose method is neither GET nor HEAD.

So, what the spec means there is: The Origin header is sent in all cross-origin requests, but it’s also sent for same-origin POST, PUT, PATCH, and DELETE requests (which by definition in Fetch are actually “CORS requests” — even though they’re same-origin).＊

Otherwise, for embedded resources — any elements having attributes with URLs that initiate requests (<script src>, stylesheets, images, media elements) — the mode for the requests defaults to no-cors, which means browsers send no Origin header for them.

A CORS request is an HTTP request that includes an Origin header. It cannot be reliably identified as participating in the CORS protocol as the Origin header is also included for all requests whose method is neither GET nor HEAD.

So, what the spec means there is: The Origin header is sent in all cross-origin requests, but it’s also always sent for all POST, PUT, PATCH, and DELETE requests — even for same-origin POST, PUT, PATCH, and DELETE requests (which by definition in Fetch are actually “CORS requests” — even though they’re same-origin).＊

Otherwise, for embedded resources — any elements having attributes with URLs that initiate requests (<script src>, stylesheets, images, media elements) — the mode for the requests defaults to no-cors; and since those requests are GET requests, that means, per-spec, browsers send no Origin header for them.

For HTML form elements which initiate POST requests, the mode for those POST requests also defaults to no-cors — in the same way that embedded resources have their mode defaulted to no-cors. However, unlike the no-cors mode GET requests for embedded resources, browsers do send the Origin header for those no-cors mode POST requests initiated from HTML form elements.

The reason for that is, as mentioned earlier in this answer, browsers always send the Origin header in all POST, PUT, PATCH, and DELETE requests.