2

I am trying to intercept cookies. Here is the request timeline:

  1. I send a POST request.
  2. The server sends a 302 and adds in two Set-Cookie headers (used for authentication)
  3. jQuery or WinJS adds the headers and sends a GET to the redirect url.
  4. I get a 200 response, but cookies are not included here.

Can I intercept these cookies anywhere?

Here are the two ways I can send this request:

    WinJS.xhr({
        type: 'post',
        url: url,
        data: token
    }).done(
        function completed(request) {
            // get cookie?
        }
    );

    $.ajax({
        url: url,
        type: 'post',
        data: token,
        success: function(data, text, xhr) {
            // get cookie?
        }
    });
Caleb Jares
  • 6,163
  • 6
  • 56
  • 83

1 Answers1

1

After some research, I have found that it is not possible to intercept or stop a same-domain redirect. According to this answer,

There is no socket support in Javascript. You can only build HTTP queries by using the XMLHTTPRequest wrapper, or optionally wrappers for that such as jQuery.ajax. This is for all kinds of good reasons, principally security.

So XMLHTTPRequest is the lowest you can get. This answer tells us that we cannot intercept same-domain redirects ever. Answer included below for reference.

According to the W3C standard for the XMLHttpRequest object (emphasis added):

If the response is an HTTP redirect:

If the origin of the URL conveyed by the Location header is same origin with the XMLHttpRequest origin and the redirect does not violate infinite loop precautions, transparently follow the redirect while observing the same-origin request event rules.

They were considering it for a future release:

This specification does not include the following features which are being considered for a future version of this specification:

  • Property to disable following redirects;

but the latest specification no longer mentions this.

Community
  • 1
  • 1
Caleb Jares
  • 6,163
  • 6
  • 56
  • 83