Return Access-Control-Allow-Origin: null when passed as origin

src/sentry/utils/http.py

@@ -246,5 +246,7 @@ def origin_from_request(request):
     # Behavior is specified in RFC6454. In either case, we should
     # treat a "null" Origin as a nonexistent one and fallback to Referer.
     if rv in ('', 'null'):
-        rv = origin_from_url(request.META.get('HTTP_REFERER'))
+        referer = request.META.get('HTTP_REFERER')
+        if referer:
+            rv = origin_from_url(referer)
     return rv

src/sentry/web/api.py

@@ -236,7 +236,7 @@ class APIView(BaseView):
                 # to `Access-Control-Allow-Origin` and we don't have another
                 # value to work with, so just allow '*' since they've gotten
                 # this far.
-                response['Access-Control-Allow-Origin'] = '*'
+                response['Access-Control-Allow-Origin'] = 'null'
             else:
                 response['Access-Control-Allow-Origin'] = origin
 

tests/sentry/utils/http/tests.py

@@ -272,7 +272,7 @@ class OriginFromRequestTestCase(TestCase):
     def test_null_origin(self):
         request = HttpRequest()
         request.META['HTTP_ORIGIN'] = 'null'
-        assert origin_from_request(request) is None
+        assert origin_from_request(request) is 'null'
 
         request.META['HTTP_REFERER'] = 'http://example.com'
         assert origin_from_request(request) == 'http://example.com'