info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Ajax cross-domain 302 response should be followed or not?
22 views
Skip to first unread message
dhar...@gmail.com
Oct 14, 2014, 12:05:03 AM10/14/14
to
Hello,
I would like to understand if following is a valid firefox behavior or I am missing something.
Initial user action
1. User requests http://domainA.com/login
2. domainA serves Login page from http://domainA.com
3. User POSTs the login credentials to http://domainB.com via Ajax request. CORS is turned on by making xhr.withCredentials = true.
4. domainB.com is configured to respond to CORS requests from domainA.com.
5. A successful response is received (200). Cookie is set for domainB.com
Followup action by the user
6. Now user manually initiates Ajax request to another resources in domainA. http://domainA.com/myHome
7. domainA does not find login cookie for domainA yet. So, domainA returns a 302 for a "loginValidation" resource on domainA itself.
8. Firefox transparently follows 302 to loginValidation resource.
9. As a response to domainA/loginValidation request, domainA responds with another 302 but this time to a loginValidation resource on domainB.
10. Firefox does NOT follow this 302.
In this whole process, the cross domain headers were present only for the first request.
How do I make the firefox follow the 302 in 10th step? Any ideas?
I have tried to make sense out of MDN CORS Material<https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS> as well as CORS Spec<http://www.w3.org/TR/cors/>. But I could not get specific confirmation on this behavior / help on changing the behavior.
I would like to understand if following is a valid firefox behavior or I am missing something.
Initial user action
1. User requests http://domainA.com/login
2. domainA serves Login page from http://domainA.com
3. User POSTs the login credentials to http://domainB.com via Ajax request. CORS is turned on by making xhr.withCredentials = true.
4. domainB.com is configured to respond to CORS requests from domainA.com.
5. A successful response is received (200). Cookie is set for domainB.com
Followup action by the user
6. Now user manually initiates Ajax request to another resources in domainA. http://domainA.com/myHome
7. domainA does not find login cookie for domainA yet. So, domainA returns a 302 for a "loginValidation" resource on domainA itself.
8. Firefox transparently follows 302 to loginValidation resource.
9. As a response to domainA/loginValidation request, domainA responds with another 302 but this time to a loginValidation resource on domainB.
10. Firefox does NOT follow this 302.
In this whole process, the cross domain headers were present only for the first request.
How do I make the firefox follow the 302 in 10th step? Any ideas?
I have tried to make sense out of MDN CORS Material<https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS> as well as CORS Spec<http://www.w3.org/TR/cors/>. But I could not get specific confirmation on this behavior / help on changing the behavior.
Boris Zbarsky
Oct 14, 2014, 8:43:52 AM10/14/14
to
On 10/14/14, 12:05 AM, dhar...@gmail.com wrote:
> How do I make the firefox follow the 302 in 10th step? Any ideas?
What do the exact requests look like? Cross-site redirects in cases
> How do I make the firefox follow the 302 in 10th step? Any ideas?
where a preflight would be needed are not allowed in CORS, so make sure
that your request is not falling in that bucket.
-Boris
dhar...@gmail.com
Oct 14, 2014, 11:36:40 PM10/14/14
to
Hi Boris,
Thanks for the reply.
Trying to understand exactly what information can be supplied to you ..
Are you trying to understand if the requests were GET / POST / OPTIONS etc? OR more information than that?
I can accordingly supply the information here.
Thanks for the reply.
Trying to understand exactly what information can be supplied to you ..
Are you trying to understand if the requests were GET / POST / OPTIONS etc? OR more information than that?
I can accordingly supply the information here.
0 new messages