发表新帖
发表新帖

Why browser do not follow redirects using XMLHTTPRequest and CORS?

后端 未结
关注
2 570
孤街浪徒
孤街浪徒 2020-12-31 08:46

I am writing a web application for some service using RESTful API. The API is available at https://api.example and app at https://app.example. Simp

相关标签:
2条回答
  • 难免孤独
    2020-12-31 09:28

    I've been wrestling with this, too. It appears that 3xx redirects for preflighted CORS requests are forbidden by the spec.

    http://www.w3.org/TR/cors/

    From the spec:

    (Step 1. and 2. detail the preflighting process. And the we come to step...)

    ...3. This is the actual request. Apply the make a request steps and observe the request rules below while making the request.

    If the response has an HTTP status code of 301, 302, 303, 307, or 308 Apply the cache and network error steps.

    And then if we scroll on down to http://www.w3.org/TR/cors/#cache-and-network-error-steps:

    Whenever the network error steps are applied, terminate the algorithm that invoked this set of steps and set the cross-origin request status to network error.

    Note: This has no effect on setting of user credentials. I.e. if the block cookies flag is unset, cookies will be set by the response.

    Whenever the cache and network error steps are applied, follow these steps:

    Remove the entries in the preflight result cache where origin field value is a case-sensitive match for source origin and url field value is a case-sensitive match for request URL.

    Apply the network error steps acting as if the algorithm that invoked the cache and network error steps invoked the network error steps instead.

    (Emphasis taken from the doc.)

    3xx redirects are, however, permitted for simple CORS requests.

    0 讨论(0)
  • 暗喜
    2020-12-31 09:49

    If its the chromium bug here is the possible errors on your code given by chromium suport:

    1. If a same-origin request causes a redirect to a different origin,
      do not enforce access control checks for the redirect response
      itself, because the request which resulted in the redirect was
      same-origin.

    2. If a same-origin request causes a redirect to a different origin,
      use the original request's URL as the origin for the new request do not use a unique security origin.

    3. Track whether the client (i.e., XMLHttpRequest) actually requested
      that credentials be sent in the first place. When a same-origin request redirects to a different origin, the original request will send cookies whether requested or not, because it is same-origin. The new cross-origin request should not send cookies unless they were requested, so that the access control checks on the response will succeed if the server granted "Access-Control-Allow-Origin=*".

    0 讨论(0)
 看不清?
提交回复
热议问题