Why browser do not follow redirects using XMLHTTPRequest and CORS?

Question

I am writing a web application for some service using RESTful API. The API is available at https://api.example and app at https://app.example. Simp

Answer 1

If its the chromium bug here is the possible errors on your code given by chromium suport:

1. If a same-origin request causes a redirect to a different origin,
   do not enforce access control checks for the redirect response
   itself, because the request which resulted in the redirect was
   same-origin.

2. If a same-origin request causes a redirect to a different origin,
   use the original request's URL as the origin for the new request do not use a unique security origin.

3. Track whether the client (i.e., XMLHttpRequest) actually requested
   that credentials be sent in the first place. When a same-origin request redirects to a different origin, the original request will send cookies whether requested or not, because it is same-origin. The new cross-origin request should not send cookies unless they were requested, so that the access control checks on the response will succeed if the server granted "Access-Control-Allow-Origin=*".