CORS response type for same-cross-same redirect

[Yutaka Hirano]

Hi,

Traditionally a cross-origin redirect coming back to the original origin is treated as a "same-origin" resource for some kind of resources (image, script, stylesheet), and treated as a "cross-origin" resource for the other kind of resources (fetch API, media) in Chromium. There is a github issue for the problem, and recently the spec changed so as to treat such a resource as CORS-cross-origin.

I think this is basically a good thing. I was concerned about compatibility and Dominic kindly volunteered to measure the impact, but we found I accidentally changed the behavior and Chromium behavior has been aligned with what's specced now since Chrome 71. I'm sorry about that, but since we haven't seen any complaints and the behavior change is relatively small, I'm going to adopt the new behavior. If you have any concerns please let me know.

I also found stylesheets have their own CORS logic and has not been affected by my change. Hence the current behavior is,

  - image, script, fetch, media: treat a same-cross-same redirect as CORS-cross-origin

  - stylesheets: treat a same-cross-same redirect as CORS-same-origin

I want to land a similar change for CSS. Do API owners and CSS owners want to measure the impact before landing the change?

Thanks,

[Yutaka Hirano]

[Matt Falkenhagen]

I went ahead and sent an Intent to Ship about this.