Prevent Redirection of Xmlhttprequest

Prevent redirection of Xmlhttprequest

Not according to the W3C standard for the XMLHttpRequest object (emphasis added):

If the response is an HTTP redirect:

If the origin of the URL conveyed by the Location header is same origin
with the XMLHttpRequest origin and the
redirect does not violate infinite
loop precautions, transparently
follow the redirect while observing
the same-origin request event rules.

They were considering it for a future release:

This specification does not include
the following features which are being
considered for a future version of
this specification:

  • Property to disable following redirects;

but the latest specification no longer mentions this.

Is it possible for XHR HEAD requests to not follow redirects (301 302)

There isn't, this isn't exposed behavior you can stop.

It's because of the spec you linked already, the specified behavior is that XmlHttpRequest should transparently follow redirects...under the covers unfortunately, and not in a way you can prevent.

It's this way to try and make things easier, if resources move, etc...but when it was designed and the spec laid out, all these redirection services weren't out there. There just wasn't a strong need for any other behavior or ability to prevent it, I think with as many redirects hitting the web not we'll see the ability added, but who knows when every browser would support it.

XmlHttpRequest call to HttpHandler - able to redirect?

XmlHttpRequest object will always honor redirects from server and will give you the html from the redirected page - this is as per W3C specs and cannot be controlled (see Prevent redirection of Xmlhttprequest).

So only way for you will be to return a response from HttpHandler (with status code 200 OK) that will indicate need to redirect and the url, on receiving response, you can use java-script to do actual redirect (if needed).

Prevent XmlHttpRequest redirect response in .Net MVC WS-Federation Site

I think I've found an answer to this problem and want to circle back and leave an answer for anyone else in the world that might encounter this.

My problem was that the HttpContext.Current.Items wasn't matching up between my ActionFilterAttribute and the WSFederationAuthenticationModule so I ended up inspecting the context and adding some checks similar to Phil Haacks Forms Redirect Suppress Example

Here is what my updated custom WSFederationAuthenticationModule looks like:

public class WSFederationServiceAuthenticationModule : WSFederationAuthenticationModule
{
    private static Log4NetLoggingService logger = new Log4NetLoggingService();

    protected override void OnAuthorizationFailed(AuthorizationFailedEventArgs e)
    {
        base.OnAuthorizationFailed(e);            

        var context = HttpContext.Current;
        var req = context.Request;
        var resp = context.Response;

        if (req == null || resp == null)
        {
            logger.Info("WSFedService: Did not find Request or Response");
            return;
        }

        if ((resp.StatusCode == 302 || resp.StatusCode == 401) && req.Headers["X-Requested-With"] == "XMLHttpRequest")
        {
            logger.Info("WSFedService: Found Redirect and Header");
            e.RedirectToIdentityProvider = false;
        }
        else
        {
            logger.Info(string.Format("WSFedService: Did not find redirect status code or XMLHttpRequest Header: {0}", resp.StatusCode));
        }

    }
}

And of course, you'll need to add this to your web.config in place of the default authentication module:

<system.web>
    <httpModules>
        <!-- Old and Busted...
        <add name="WSFederationAuthenticationModule"
           type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        -->

        <!-- New Hotness... -->
        <add name="WSFederationAuthenticationModule"
           type="MyApp.Web.Authentication.WSFederationServiceAuthenticationModule, MyApp.Web" />
    </httpModules>
</system.web>

<system.webServer>
    <modules>
        <!-- Old and Busted...
        <add name="WSFederationAuthenticationModule"
           type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
           preCondition="managedHandler"/>
        -->

        <!-- New Hotness... -->
        <add name="WSFederationAuthenticationModule"
           type="MyApp.Web.Authentication.WSFederationServiceAuthenticationModule, MyApp.Web"
           preCondition="managedHandler"/>

    </modules>
</system.webServer>

How to prevent Chrome to redirecting AJAX requests to HTTPS?

This could be caused by an extension such as HTTPS everywhere or by Strict Transport Security (HSTS).

These factors are outside your control, to resolve it you need to modify the server-side API endpoint to serve CORS response headers, e.g.:

Access-Control-Allow-Origin: http://api.domain.com

... or just enforce https side-wide. Then you don't need to worry about http/https origin violations. As a bonus, https has recently become one of the positive factors for your site's ranking on Google.

The log in the question clearly shows that HSTS is the culprit. Chrome's HSTS implementation does not properly work with cross-origin requests at the moment (crbug.com/387198). The only way for website owners to work around this bug is to enforce side-wide https, and access the API over https.

f you want to reproduce the bug, visit chrome://net-internals/#hsts and add the domain to the HSTS list via the first input box ("Add domain"). Then, after having reproduced the bug, remove the domain from the HSTS list via the second input box ("Delete domain"). This method is also a way for users to work around the bug. After all, if the domain is removed from the HSTS list, then there's no HSTS redirect any more.

What is HSTS?
HSTS is activated after the server sends a Strict-Transport-Security header in any of its https responses. After receiving this header once, the browser will force that all resources on the web page are requested over https. For more info, see http://chromium.org/sts and http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security.

Since this bug occurs only for some of your users, it is most likely that that it is caused by a browser extension or some page on the API domain that responds with the STS header.

Prevent redirection when form is submitted

No. If you submit a form, you will redirect.

What you can do, however, is to "serialize" the form, get the URL (I'm assuming GET), and request the server using XmlHttpRequest (Ajax).

There's a question on SO about serializing a form without jQuery: how to serialize a form without jQuery?

Also, this one on how to use XMLHttpRequest: How to get the response of XMLHttpRequest?

jQuery kind of makes both tasks easier, though


Related Topics

Set a Callback Function to a New Window in JavaScript

Web App in Tvos

Cannot Access CSSrules from Local CSS File in Chrome 64

Jquery: How to Listen for Dom Changes

How to Format Vuetify Data Table Date Column

Angular2 Router 2.0.0 Not Reloading Components When Same Url Loaded with Different Parameters

When Using Jquery On(), Why Use (Document) VS. the Element Itself

How Do Image Preloaders Work

How to Listen/Detect Changes to an Input Value - When the Input Value Is Changed via JavaScript

How to Reach the Element Itself Inside Jquery's 'Val'

Addeventlistener with Ajax Not Working Well

Accessing JavaScript Variable from Ruby

Difference Between Statement and Function

Working Twitter-Typeahead Example

Ruby on Rails - Put Method on Update Ajax

React 'Cannot Read Property of Undefined' When Using Map

Differencebetween Angular-Route and Angular-Ui-Router

How to Display a Modal Dialog in Redux That Performs Asynchronous Actions


Leave a reply



Submit