<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<!DOCTYPE bugzilla SYSTEM "https://www.w3.org/Bugs/Public/page.cgi?id=bugzilla.dtd">

<bugzilla version="5.0.4"
          urlbase="https://www.w3.org/Bugs/Public/"
          
          maintainer="sysbot+bugzilla@w3.org"
>

    <bug>
          <bug_id>26238</bug_id>
          
          <creation_ts>2014-06-30 11:39:18 +0000</creation_ts>
          <short_desc>[new feature] Add follow redirects back</short_desc>
          <delta_ts>2015-03-27 12:29:42 +0000</delta_ts>
          <reporter_accessible>1</reporter_accessible>
          <cclist_accessible>1</cclist_accessible>
          <classification_id>1</classification_id>
          <classification>Unclassified</classification>
          <product>WebAppsWG</product>
          <component>XHR</component>
          <version>unspecified</version>
          <rep_platform>PC</rep_platform>
          <op_sys>All</op_sys>
          <bug_status>RESOLVED</bug_status>
          <resolution>DUPLICATE</resolution>
          <dup_id>28343</dup_id>
          
          <bug_file_loc></bug_file_loc>
          <status_whiteboard></status_whiteboard>
          <keywords></keywords>
          <priority>P2</priority>
          <bug_severity>minor</bug_severity>
          <target_milestone>---</target_milestone>
          
          
          <everconfirmed>1</everconfirmed>
          <reporter name="Jonathan Kingston">jonathan</reporter>
          <assigned_to name="Anne">annevk</assigned_to>
          <cc>hsteen</cc>
    
    <cc>mike</cc>
    
    <cc>public-webapps</cc>
          
          <qa_contact>public-webapps-bugzilla</qa_contact>

      

      

      

          <comment_sort_order>oldest_to_newest</comment_sort_order>  
          <long_desc isprivate="0" >
    <commentid>108483</commentid>
    <comment_count>0</comment_count>
    <who name="Jonathan Kingston">jonathan</who>
    <bug_when>2014-06-30 11:39:18 +0000</bug_when>
    <thetext>Add follow redirects back into WHATWG XHR specification: http://xhr.spec.whatwg.org/

As mentioned on this post: http://discourse.specifiction.org/t/followredirects-in-xmlhttprequest/420/11?u=jonathank

The intent is to put back in the followRedirects feature which was a security improvement from the client side to prevent calls following to unexpected URL changes.

The expected result when the AJAX request returns a redirect code and followRedirects is disabled then it should return a network error.

This should follow the same definition as the original specification: http://www.w3.org/TR/2010/WD-XMLHttpRequest2-20100907/#the-followredirects-attribute

However it shouldn&apos;t return a response if there is a redirect just a network error to the callbacks.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>108484</commentid>
    <comment_count>1</comment_count>
    <who name="Anne">annevk</who>
    <bug_when>2014-06-30 11:42:09 +0000</bug_when>
    <thetext>So the use case here is failing early, right?</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>108485</commentid>
    <comment_count>2</comment_count>
    <who name="Jonathan Kingston">jonathan</who>
    <bug_when>2014-06-30 11:47:19 +0000</bug_when>
    <thetext>That is right, so to prevent scripts that really only want the one resource to be able to turn off the feature of jumping through the redirects.

The behaviour should be a browser engineered error code sent to the callbacks.

The browser should not follow any redirects at all, only one server call should be made.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>108488</commentid>
    <comment_count>3</comment_count>
    <who name="Anne">annevk</who>
    <bug_when>2014-06-30 13:21:01 +0000</bug_when>
    <thetext>If we add this we should probably name it disableRedirectHandling per bug 25791. failOnRedirects or some such could maybe also work.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>113467</commentid>
    <comment_count>4</comment_count>
    <who name="Anne">annevk</who>
    <bug_when>2014-10-20 16:19:42 +0000</bug_when>
    <thetext>I found out that with HSTS this could be used to detect whether a user has previously visited a site. It might be that CSP and other features enable the same kind of attack however.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>113468</commentid>
    <comment_count>5</comment_count>
    <who name="Anne">annevk</who>
    <bug_when>2014-10-20 16:20:10 +0000</bug_when>
    <thetext>However, if we add this we might add it as a feature for fetch() instead.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>118978</commentid>
    <comment_count>6</comment_count>
    <who name="Anne">annevk</who>
    <bug_when>2015-03-27 12:29:42 +0000</bug_when>
    <thetext>fetch() it is.

*** This bug has been marked as a duplicate of bug 28343 ***</thetext>
  </long_desc>
      
      

    </bug>

</bugzilla>