Re: [whatwg/fetch] Redirect on preflighted CORS requests generally impossible (#204) from Jefri Reynaldi on 2023-12-16 (public-webapps-github@w3.org from December 2023)

From: Jefri Reynaldi <notifications@github.com>
Date: Sat, 16 Dec 2023 06:32:42 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/204/1858832421@github.com>

> (From [the mailing list](https://lists.w3.org/Archives/Public/public-webappsec/2016Jan/0119.html).)
> 
> With the given state of the standard, it is impossible to design APIs that use redirection on authenticated resources and allow access by clients implementing the standard.
> 
> The reason for this is that redirects on preflight CORS requests are generally forbidden. [An older version of the standard](https://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0) says
> 
> > 7.1.5 Cross-Origin Request with Preflight
> > If the response has an HTTP status code that is not in the 2xx range
> > Apply the network error steps.
> 
> I cannot find this passage in [the latest revision](https://fetch.spec.whatwg.org/), but it's perhaps been rephrased. (Am I right?)
> 
> This restriction seems too strict as it disallows valid (RESTful) use patterns.
> 
> Opinions?

https://github.com/whatwg/fetch/issues/204#issue-128191407

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/204#issuecomment-1858832421
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/204/1858832421@github.com>

Received on Saturday, 16 December 2023 14:32:48 UTC