16

There is a page (url), I request it by XMLHttpRequest, but I'm not getting response from requested url, It's directing request to another page,

requesting --- > page.php
getting reponse from > directedpage.php

and the question is how can I get response url? (directedpage.php in example)

Okan Kocyigit
  • 13,203
  • 18
  • 70
  • 129

1 Answers1

30

The final URL (after following all redirects) is available in the responseURL attribute of a XMLHttpRequest instance. This feature is new and only supported in Firefox 32 stable in September 2014 [ref] and Chrome 37.0.2031.0 stable in August 2014 [ref] (and probably also Opera 24). responseURL is not (yet) supported in IE 11 or Safari 7 and older browsers. For these browsers, the previous answer is still true:

XMLHttpRequest automatically follows redirects, without saving the served URLs in a property. The Location header can neither be retrieved through the .getResponseHeader().

References:

Rob W
  • 341,306
  • 83
  • 791
  • 678
  • OK, but, does someone know why ? Security ? Which attack should be available with the response url ? (Giving response url only if response url is in the same origin than the original url) – Julien Palard Apr 26 '13 at 14:47
  • @JulienPalard [The specification](http://www.w3.org/TR/XMLHttpRequest/#infrastructure-for-the-send()-method) demands that redirects have to be followed transparently. – Rob W Apr 26 '13 at 14:53
  • @RobW : I don’t understand, if I have this`A=302—B=302—>C=302—>A=200`. What responseURL will return ? The ᴜʀʟ of C or A ? – user2284570 Sep 18 '15 at 00:46
  • @user2284570 The URL of the last A. – Rob W Sep 18 '15 at 12:07
  • @RobW : And in the case of a circled redirect ? – user2284570 Sep 18 '15 at 12:10
  • @user2284570 It will probably be `null`, because the browser will detect the redirect loop and abort the request. – Rob W Sep 18 '15 at 12:11
  • Is it impossible to get `responseURL` for blocked CORS requests? – traxium Oct 15 '16 at 19:30
  • 2
    @traxium It is not possible to get `responseURL` for blocked cross-origin requests. If the server did not respond with the expected CORS response headers. then the browser has to assume that the server is not willing to volunteer sensitive information and therefore it will not leak the redirection target to the script. – Rob W Oct 15 '16 at 19:34