Closed Bug 918767 Opened 6 years ago Closed 3 years ago

[XHR2] Does not allow redirects from same-origin to other origin, CORS-enabled URL

Categories

(Core :: DOM: Core & HTML, defect)

x86
Linux
defect
Not set

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: hsteen, Unassigned)

References

()

Details

Seems we're doing a few too many security checks (or just fail because something wasn't expected by the relevant code)
Test case:
http://w3c-test.org/web-platform-tests/master/XMLHttpRequest/send-redirect-to-cors.htm
We noticed this as well while fixing up the redirect logic for fetch() over in bug 1184607.
See Also: → 1184607
Firefox still doesn't behave correctly on CORS redirects with non-simple requests, e.g., requests that contain the Authorization header. Redirects used to be forbidden [1], but are now allowed [2] unless the URL contains credentials (in the style of http://username:password@example.com).


[1] https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
[2] https://fetch.spec.whatwg.org/ ("Otherwise, request's redirect mode is "follow", run these substeps:")
We need a test for this scenario. I've reported this: https://github.com/w3c/web-platform-tests/issues/2520
The web platform test in question passes now, and it also sets a custom header as per comment 3, so this issue has been resolved.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.