- From: Ruben Verborgh <ruben.verborgh@ugent.be>
- Date: Wed, 4 Dec 2019 08:12:31 -0500
- To: Yves Lafon <ylafon@w3.org>
- Cc: Tim Berners-Lee <timbl@w3.org>, "sysreq@w3.org Requests" <sysreq@w3.org>, Public TAG List <www-tag@w3.org>
Dear all,
I was able to reproduce this behavior in Chrome with
fetch('http://www.w3.org/1999/02/22-rdf-syntax-ns', { headers: { special: 'special' } })
where the extra header is used to trigger the preflight request.
Firefox does not perform internal HSTS redirects;
instead it seems to simply rewrite URLs to their https: version.
So this bug seems to be caused by Chrome making the redirect explicit,
and then refusing to process its own redirect response
because the reply to a CORS preflight cannot be a redirect.
It all comes down to the question of whether to treat internal HSTS redirects
as actual redirects that need to follow the CORS rules.
Best,
Ruben
Received on Wednesday, 4 December 2019 13:12:40 UTC