This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
If we expose redirects a same-origin request with a httponly cookie that redirects with some credentials to a cross-origin URL could be exposed and would make existing services less secure. Jonas Sicking brought this up 23 Jan 2014. Apparently this was a problem when Gecko did not return a network error from XMLHttpRequest for that scenario but instead returned the redirect response.
See also https://github.com/slightlyoff/ServiceWorker/issues/47#issuecomment-33158765
https://github.com/whatwg/fetch/commit/c62ca3cf40c6f7cef2d2e423185b7d1ffed89eb9