Hello,
I would like to understand if following is a valid firefox behavior or I am missing something.
Initial user action
1. User requests
http://domainA.com/login
2. domainA serves Login page from
http://domainA.com
3. User POSTs the login credentials to
http://domainB.com via Ajax request. CORS is turned on by making xhr.withCredentials = true.
4. domainB.com is configured to respond to CORS requests from domainA.com.
5. A successful response is received (200). Cookie is set for domainB.com
Followup action by the user
6. Now user manually initiates Ajax request to another resources in domainA.
http://domainA.com/myHome
7. domainA does not find login cookie for domainA yet. So, domainA returns a 302 for a "loginValidation" resource on domainA itself.
8. Firefox transparently follows 302 to loginValidation resource.
9. As a response to domainA/loginValidation request, domainA responds with another 302 but this time to a loginValidation resource on domainB.
10. Firefox does NOT follow this 302.
In this whole process, the cross domain headers were present only for the first request.
How do I make the firefox follow the 302 in 10th step? Any ideas?
I have tried to make sense out of MDN CORS Material<
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS> as well as CORS Spec<
http://www.w3.org/TR/cors/>. But I could not get specific confirmation on this behavior / help on changing the behavior.