CORS request with Preflight and redirect: disallowed. Workarounds?

by

The original standard does preclude redirect after a successful CORS preflight. Quoting § 7.1.5.3:

This is the actual request. Apply the make a request steps and observe the request rules below while making the request.

  • If the response has an HTTP status code of 301, 302, 303, 307, or 308
    Apply the cache and network error steps.

Due to your efforts (thanks!), on August 4 2016 the standard was updated to allow redirect after successful CORS preflight check.

Until browsers catch up, the only feasible options seem to be one or a combination of:

  1. Issue redirects only for simple requests.
  2. Issue a 305 redirect, with your own URL in the Location header as the “proxy”. Be prepared for limited browser support, as 305 is deprecated.
  3. Do a fake “redirect”:
  • return HTML with meta refresh and/or Javascript Location change.
  • return HTML that has a viewport-filling iframe with the redirect target as the iframe’s source.
  • display a link that the user has to click in order to access the content.

More Related Contents:

  1. Why is an OPTIONS request sent and can I disable it?
  2. What are proper status codes for CORS preflight requests?
  3. What is the motivation behind the introduction of preflight CORS requests?
  4. CORS with POSTMAN
  5. When do browsers send the Origin header? When do browsers set the origin to null?
  6. http to https through .htaccess
  7. CORS Access-Control-Allow-Headers wildcard being ignored?
  8. HTTP redirect: 301 (permanent) vs. 302 (temporary)
  9. Is a 302 redirect to relative URL valid, or invalid?
  10. How to CORS-enable Apache web server (including preflight and custom headers)?
  11. How to redirect user’s browser URL to a different page in Nodejs?
  12. What’s the difference between a 302 and a 307 redirect?
  13. Difference between HTTP redirect codes
  14. Why can’t I set a cookie and redirect?
  15. URL hash is persisting between redirects
  16. Setting HTTP headers
  17. Angular2 OPTIONS method sent when asking for http.GET [duplicate]
  18. Cross Origin Resource Sharing with Credentials
  19. What is correct HTTP status code when redirecting to a login page?
  20. What does HTTP/1.1 302 mean exactly?
  21. How to make XMLHttpRequest cross-domain withCredentials, HTTP Authorization (CORS)?
  22. luaSocket HTTP requests always respond with a redirect (301 or 302)
  23. htaccess redirect for non-www both http and https
  24. AngularJS performs an OPTIONS HTTP request for a cross-origin resource
  25. How to $http Synchronous call with AngularJS
  26. Why is it said that “HTTP is a stateless protocol”?
  27. What is Cache-Control: private?
  28. Custom HTTP Authorization Header
  29. Multiple HTTP Authorization headers?
  30. Standard method for HTTP partial upload, resume upload

Leave a Comment