22151 2013-05-23 10:19:36 +0000 Special case cross-origin -> Same origin redirect, omit credentials unless withCredentials is explicitly set to true 2013-05-23 10:21:14 +0000 1 1 1 Unclassified WHATWG Fetch unspecified PC Linux RESOLVED INVALID P2 normal Unsorted 1 hsteen annevk mike sideshowbarker+fetchspec oldest_to_newest 88119 0 hsteen 2013-05-23 10:19:36 +0000 http://fetch.spec.whatwg.org/#basic-fetch [[ If the CORS flag is set and response's location's origin is not request's url's origin, set request's origin to a globally unique identifier. ]] I'm not sure if this is already handled, but as far as I've been able to interpret the spec it isn't fully dealt with: If a CORS-request is redirected back to a same-origin URL Request from: www.example.com/foo Request to: crossorigin.example.com/bar Redirects to: www.example.com/foo/2 by the above "origin" will be set to a GUID, so the Origin: and Referer: headers will be omitted in the next request. However, cookies and other credentials will be included by default as it is now same-origin as the requesting page? Any cross-origin -> same origin redirect should make sure the credentials mode stays the same. So for example with XHR, unless withCredentials is explicitly set to true, cookies should be omitted in the new same-origin request. 88120 1 hsteen 2013-05-23 10:21:14 +0000 So it should be handled because the GUID should not equal the origin of the original page. (A note to explain this effect would be welcome..)