I\'m designing an API that allows the user to authenticate (using tokens) and that contains redirects within the same domain. Now, for an unauthenticated request to an endpoint that returns 303,
GET /documents/123 --> 303 redirect to `/documents/abc`
GET /documents/abc --> 200
everything works out nicely.
Let\'s do an authenticated request to the same endpoint where the Authorization
header is sent. This makes the request a preflighted request and the browser does a preflight OPTIONS
request, i.e.
OPTIONS /documents/123 --> 204 (everything okay, please proceed)
GET /documents/123 --> 303 redirect to `/documents/abc`
At this point, instead of GET
ting the actual resource at /documents/abc
, the browser yields
XMLHttpRequest cannot load http://localhost:8000/people/username/nschloe.
The request was redirected to \'http://localhost:8000/people/YDHa-B2FhMie\',
which is disallowed for cross-origin requests that require preflight.
This behavior is in accordance with the standard:
7.1.5 Cross-Origin Request with Preflight
If the response has an HTTP status code that is not in the 2xx range
Apply the network error steps.
This seems to mean that one cannot do redirects for authenticated resources, even if the redirect is on the same domain (localhost
).
Can this really be true? Is there a common workaround?