Closed Bug 918767 Opened 6 years ago Closed 3 years ago
[XHR2] Does not allow redirects from same-origin to other origin, CORS-enabled URL
Seems we're doing a few too many security checks (or just fail because something wasn't expected by the relevant code) Test case: http://w3c-test.org/web-platform-tests/master/XMLHttpRequest/send-redirect-to-cors.htm
We noticed this as well while fixing up the redirect logic for fetch() over in bug 1184607.
See Also: → 1184607
Firefox still doesn't behave correctly on CORS redirects with non-simple requests, e.g., requests that contain the Authorization header. Redirects used to be forbidden , but are now allowed  unless the URL contains credentials (in the style of http://username:email@example.com).  https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0  https://fetch.spec.whatwg.org/ ("Otherwise, request's redirect mode is "follow", run these substeps:")
We need a test for this scenario. I've reported this: https://github.com/w3c/web-platform-tests/issues/2520
The web platform test in question passes now, and it also sets a custom header as per comment 3, so this issue has been resolved.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.