Closed Bug 918767 Opened 11 years ago Closed 8 years ago

[XHR2] Does not allow redirects from same-origin to other origin, CORS-enabled URL

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: hsteen, Unassigned)

References

(
URL
)

Details

Seems we're doing a few too many security checks (or just fail because something wasn't expected by the relevant code)
Test case:
http://w3c-test.org/web-platform-tests/master/XMLHttpRequest/send-redirect-to-cors.htm
We noticed this as well while fixing up the redirect logic for fetch() over in bug 1184607.
See Also: → 1184607
Firefox still doesn't behave correctly on CORS redirects with non-simple requests, e.g., requests that contain the Authorization header. Redirects used to be forbidden [1], but are now allowed [2] unless the URL contains credentials (in the style of http://username:password@example.com).


[1] https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
[2] https://fetch.spec.whatwg.org/ ("Otherwise, request's redirect mode is "follow", run these substeps:")
We need a test for this scenario. I've reported this: https://github.com/w3c/web-platform-tests/issues/2520
The web platform test in question passes now, and it also sets a custom header as per comment 3, so this issue has been resolved.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.