Ajax cross-domain 302 response should be followed or not?
I would like to understand if following is a valid firefox behavior or I am missing something.
Initial user action
1. User requests http://domainA.com/login 2. domainA serves Login page from http://domainA.com 3. User POSTs the login credentials to http://domainB.com via Ajax request. CORS is turned on by making xhr.withCredentials = true.
4. domainB.com is configured to respond to CORS requests from domainA.com.
5. A successful response is received (200). Cookie is set for domainB.com
Followup action by the user
6. Now user manually initiates Ajax request to another resources in domainA. http://domainA.com/myHome 7. domainA does not find login cookie for domainA yet. So, domainA returns a 302 for a "loginValidation" resource on domainA itself.
8. Firefox transparently follows 302 to loginValidation resource.
9. As a response to domainA/loginValidation request, domainA responds with another 302 but this time to a loginValidation resource on domainB.
10. Firefox does NOT follow this 302.
In this whole process, the cross domain headers were present only for the first request.
How do I make the firefox follow the 302 in 10th step? Any ideas?
Re: Ajax cross-domain 302 response should be followed or not?
Thanks for the reply.
Trying to understand exactly what information can be supplied to you ..
Are you trying to understand if the requests were GET / POST / OPTIONS etc? OR more information than that?
I can accordingly supply the information here.
On Tuesday, October 14, 2014 6:13:52 PM UTC+5:30, Boris Zbarsky wrote:
> What do the exact requests look like? Cross-site redirects in cases
> where a preflight would be needed are not allowed in CORS, so make sure
> that your request is not falling in that bucket.