This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 22151 - Special case cross-origin -> Same origin redirect, omit credentials unless withCredentials is explicitly set to true
Summary: Special case cross-origin -> Same origin redirect, omit credentials unless wi...
Status: RESOLVED INVALID
Alias: None
Product: WHATWG
Classification: Unclassified
Component: Fetch (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Target Milestone: Unsorted
Assignee: Anne
QA Contact: sideshowbarker+fetchspec
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-23 10:19 UTC by Hallvord R. M. Steen
Modified: 2013-05-23 10:21 UTC (History)
1 user (show)

See Also:

Attachments

Description Hallvord R. M. Steen 2013-05-23 10:19:36 UTC 
http://fetch.spec.whatwg.org/#basic-fetch

[[
If the CORS flag is set and response's
     location's origin is not
     request's url's
     origin, set request's
     origin to a globally unique identifier.
]]

I'm not sure if this is already handled, but as far as I've been able to interpret the spec it isn't fully dealt with:

If a CORS-request is redirected back to a same-origin URL

Request from: www.example.com/foo
Request to: crossorigin.example.com/bar
Redirects to: www.example.com/foo/2

by the above "origin" will be set to a GUID, so the Origin: and Referer: headers will be omitted in the next request. However, cookies and other credentials will be included by default as it is now same-origin as the requesting page?

Any cross-origin -> same origin redirect should make sure the credentials mode stays the same. So for example with XHR, unless withCredentials is explicitly set to true, cookies should be omitted in the new same-origin request.
Comment 1 Hallvord R. M. Steen 2013-05-23 10:21:14 UTC 
So it should be handled because the GUID should not equal the origin of the original page.

(A note to explain this effect would be welcome..)