4

The W3C CORS spec clearly states in Step 2:

If the response has an HTTP status code of 301, 302, 303, 307, or 308

 Apply the cache and network error steps.

I think that this measure has been added to mitigate security risks. However, I am unable to find a source detailing what exactly the security ramifications of allowing redirects will be.

Questions about how to circumvent this issue have been asked before. I am looking for an explanation of why was this clause included in the specification in the first place, like the following questions:

CORS - What is the motivation behind introducing preflight requests?

Why does a cross-origin HEAD request need a preflight check?

Community
  • 1
  • 1
musically_ut
  • 33,232
  • 8
  • 87
  • 102

1 Answers1

1

From the WHATWG mailing list:

Mostly because with preflight fetches everything gets more complicated. We did leave the door open to potentially allow this at some point, provided we figure out a sane protocol, but left it out initially for simplicity.

musically_ut
  • 33,232
  • 8
  • 87
  • 102