[openapi] Origin is 'null' in api testing request

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Hi, I found that API testing using openapi.yaml failed due to a CORS ERROR after updated my GitLab server to 16.3.6.

/-/sandbox/swagger#/%E6%B3%A8%E5%86%8C/get_register:1 Access to fetch at '*****' from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
swagger-ui-bundle.js:2 
        
        
       GET ******** net::ERR_FAILED 403 (Forbidden)

After an investigating, I found that the new interactive API documentation was rendered in iframe with a sandbox attribute that doesn't contain the value allow-same-origin which may cause the Origin request header value set to null. I'm not sure if there's something else causing it.

Previous version (maybe 13.15.x) were able to set Origin header to host correctly.

Edited Sep 28, 2025 by 🤖 GitLab Bot 🤖