What do you mean by origin "null" is therefore not allowed access?
I develop a web app. When I run the app on Android, origin in the header of a network request is null. Access-Control-Allow-Origin in the response header is null too, because the origin of the resource is something like file://..., which is changed to null. Since the last update, Chrome blocks this request with the following message:
'Access-Control-Allow-Origin' header has a value 'null' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I would like to know if there is an advantage in allowing any origin over disabling CORS? What's the best web server configuration to serve web apps with origin null?
Syntax
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin:
Access-Control-Allow-Origin: null
Directives
*For requests without credentials, the literal value "*" can be specified as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials results in an error. Specifies an origin. Only a single origin can be specified. If the server supports clients from multiple origins, it must return the origin for the specific client making the request. null
Specifies the origin "null".
Note: null should not be used: "It may seem safe to return Access-Control-Allow-Origin: "null", but the serialization of the Origin of any resource that uses a non-hierarchical scheme (such as data: or file:) and sandboxed documents is defined to be "null". Many User Agents will grant such documents access to a response with an Access-Control-Allow-Origin: "null" header, and any origin can create a hostile document with a "null" Origin. The origin "null" value is therefore not allowed access.