24375 – Explain why redirects are atomic

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 24375 - Explain why redirects are atomic

Summary: Explain why redirects are atomic

Status:	RESOLVED FIXED

Alias:	None

Product:	WHATWG
Classification:	Unclassified
Component:	Fetch (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P2 normal
Target Milestone:	Unsorted
Assignee:	Anne
QA Contact:	sideshowbarker+fetchspec

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-01-23 19:25 UTC by Anne
Modified:	2014-05-19 12:39 UTC (History)
CC List:	1 user (show)

See Also:

Attachments

Description Anne 2014-01-23 19:25:33 UTC

If we expose redirects a same-origin request with a httponly cookie that redirects with some credentials to a cross-origin URL could be exposed and would make existing services less secure.

Jonas Sicking brought this up 23 Jan 2014. Apparently this was a problem when Gecko did not return a network error from XMLHttpRequest for that scenario but instead returned the redirect response.

Comment 1 Anne 2014-01-23 19:25:55 UTC

See also https://github.com/slightlyoff/ServiceWorker/issues/47#issuecomment-33158765

Comment 2 Anne 2014-05-19 12:39:41 UTC

https://github.com/whatwg/fetch/commit/c62ca3cf40c6f7cef2d2e423185b7d1ffed89eb9