Bug 98838

Summary:	XHR CORS on 302 Redirect sets Origin to "null" in request
Product:	WebKit	Reporter:	Terin Stock <terinjokes>
Component:	Page Loading	Assignee:	Nobody <webkit-unassigned>
Status:	UNCONFIRMED
Severity:	Major	CC:	abarth, achristensen, ap, bbudge, beidson, brent, micahnyc, mike, webdev, youennf
Priority:	P2	Keywords:	InRadar
Version:	528+ (Nightly build)
Hardware:	Unspecified
OS:	Unspecified
See Also:	https://bugs.webkit.org/show_bug.cgi?id=144817 https://bugs.webkit.org/show_bug.cgi?id=222653

Terin Stock

Reported 2012-10-09 18:00:39 PDT

Chrome Version : 24.0.1284.2 dev Safari Version : 6.0.1 (8536.26.14) Other browsers tested: Add OK or FAIL after other browsers where you have tested this issue: Firefox 15.x: OK IE 8: OK What steps will reproduce the problem? 0. Be on one domain (host: http://example.test) 1. Initiate a XHR CORS request to a resource. (host: http://test1.example.org) 2. The resource issues a 302 redirect to another resource on another domain (host: http://test2.example.org) What is the expected result? The second request (to test2.example.org) would have set the Origin to "example.test" in the request What happens instead? During the second request the Origin is set to "null"

Attachments
Add attachment proposed patch, testcase, etc.

Terin Stock

Comment 1 2012-10-09 18:20:14 PDT

X-Post: Safari: rdar://problem/12466595 (http://openradar.appspot.com/radar?id=2135401) Chrome: http://openradar.appspot.com/radar?id=2135401

Bill Budge

Comment 2 2013-02-25 12:46:57 PST

Here is a web page that demonstrates the problem. The second test causes a cross-origin redirect, and the new request has no 'Origin' header. http://origin-a.sigusrone.com/cors-redirect-accept-header

Alexey Proskuryakov

Comment 3 2013-03-18 22:04:42 PDT

See also: bug 112471.

Brent Royal-Gordon

Comment 4 2017-09-15 23:51:45 PDT

I've experienced this behavior with a 303 redirect as well. My site was using the S3 "Browser-Based Uploads Using POST" feature, which can optionally emit a 303 redirect once the upload is complete.

youenn fablet

Comment 5 2017-09-18 09:34:19 PDT

http://origin-a.sigusrone.com/cors-redirect-accept-header is now working properly. Brent, have you tried recent Safari versions, like Safari Tech Preview? Would you be able to provide a reduced test case?

Note You need to log in before you can comment on or make changes to this bug.