Ajax cross-domain 302 response should be followed or not?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Ajax cross-domain 302 response should be followed or not?

dharapvj
Hello,

I would like to understand if following is a valid firefox behavior or I am missing something.

Initial user action
1. User requests http://domainA.com/login
2. domainA serves Login page from http://domainA.com
3. User POSTs the login credentials to http://domainB.com via Ajax request. CORS is turned on by making xhr.withCredentials = true.
4. domainB.com is configured to respond to CORS requests from domainA.com.
5. A successful response is received (200). Cookie is set for domainB.com

Followup action by the user
6. Now user manually initiates Ajax request to another resources in domainA. http://domainA.com/myHome
7. domainA does not find login cookie for domainA yet. So, domainA returns a 302 for a "loginValidation" resource on domainA itself.
8. Firefox transparently follows 302 to loginValidation resource.
9. As a response to domainA/loginValidation request, domainA responds with another 302 but this time to a loginValidation resource on domainB.
10. Firefox does NOT follow this 302.

In this whole process, the cross domain headers were present only for the first request.

How do I make the firefox follow the 302 in 10th step? Any ideas?

I have tried to make sense out of MDN CORS Material<https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS> as well as CORS Spec<http://www.w3.org/TR/cors/>. But I could not get specific confirmation on this behavior / help on changing the behavior.

_______________________________________________
dev-tech-network mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-network
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ajax cross-domain 302 response should be followed or not?

Boris Zbarsky
On 10/14/14, 12:05 AM, [hidden email] wrote:
> How do I make the firefox follow the 302 in 10th step? Any ideas?

What do the exact requests look like?  Cross-site redirects in cases
where a preflight would be needed are not allowed in CORS, so make sure
that your request is not falling in that bucket.

-Boris
_______________________________________________
dev-tech-network mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-network
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ajax cross-domain 302 response should be followed or not?

dharapvj
Hi Boris,

Thanks for the reply.

Trying to understand exactly what information can be supplied to you ..
Are you trying to understand if the requests were GET / POST / OPTIONS etc? OR more information than that?

I can accordingly supply the information here.


On Tuesday, October 14, 2014 6:13:52 PM UTC+5:30, Boris Zbarsky wrote:

>
> What do the exact requests look like?  Cross-site redirects in cases
>
> where a preflight would be needed are not allowed in CORS, so make sure
>
> that your request is not falling in that bucket.
>
>
>
> -Boris
_______________________________________________
dev-tech-network mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-network
Loading...