CORS request with Preflight and redirect: disallowed. Workarounds?

redirect http cors preflight

The original standard does preclude redirect after a successful CORS preflight. Quoting § 7.1.5.3:

This is the actual request. Apply the make a request steps and observe the request rules below while making the request.

  • If the response has an HTTP status code of 301, 302, 303, 307, or 308 Apply the cache and network error steps.

Due to your efforts (thanks!), on August 4 2016 the standard was updated to allow redirect after successful CORS preflight check.

Until browsers catch up, the only feasible options seem to be one or a combination of:

  1. Issue redirects only for simple requests.
  2. Issue a 305 redirect, with your own URL in the Location header as the "proxy". Be prepared for limited browser support, as 305 is deprecated.
  3. Do a fake "redirect":
  • return HTML with meta refresh and/or Javascript Location change.
  • return HTML that has a viewport-filling iframe with the redirect target as the iframe's source.
  • display a link that the user has to click in order to access the content.

Related

Regex replace text outside html tags
What is the best way to parse html in google apps script
why font list is empty for imagemagick?
asp.net - session - multiple browser tabs - different sessions?
SQL time difference between two dates result in hh:mm:ss
Calling an ASP.NET server side method via jQuery
Dynamically Created Controls losing data after postback
Circular reference detected exception while serializing object to JSON
How can I Populate a ListView in JavaFX using Custom Objects?
Why does Britain use "Way Out" rather than "Exit"?
Why does "whence" have "when" in it?
Origin of "do not argue with idiots" [closed]