[fetch] Redirect on preflighted CORS requests generally impossible (#204)

(From [the mailing list](https://lists.w3.org/Archives/Public/public-webappsec/2016Jan/0119.html).)

With the given state of the standard, it is impossible to design APIs that use redirection on authenticated resources and allow access by clients implementing the standard.

The reason for this is that redirects on preflight CORS requests are generally forbidden. [An older version of the standard](https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0) says

> 7.1.5 Cross-Origin Request with Preflight
> If the response has an HTTP status code that is not in the 2xx range
> Apply the network error steps.

I cannot find this passage in [the latest revision](https://fetch.spec.whatwg.org/), but it's perhaps been rephrased. (Am I right?)

This restriction seems too strict as it disallows valid (RESTful) use patterns.

Opinions?

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/204

Received on Friday, 22 January 2016 16:25:50 UTC