runtime: [wasm] Blazor 303 responses, and fetch vs navigation

Describe the bug

From a blazor wasm application, Use HttpClient to submit a POST request to web api hosted on the same origin. Have that API return a 303 response to redirect to an external URL

HTTP/1.1 303 See Other Date: Wed, 08 Jul 2020 16:14:45 GMT Server: Kestrel Content-Length: 0 Location: https://login.microsoftonline.com/****************/saml2?SAMLRequest=***************&RelayState=*************** Set-Cookie: Saml2.hoU8e2aivVGd0X3xe_mLiReo=***************; path=/; secure; samesite=none; httponly Vary: Origin Access-Control-Allow-Origin: https://localhost:62808 X-Api-Status: Up X-Tenant-Status: Up

Blazor automatically follows up on this redirect by submitting a GET request with the browser fetch api. However in this case, due to CORS policies on the external URL being redirected to, CROSS site requests are not allowed. I actually need to fully navigate the user to the new URL in the browser. Due to this Blazor fetch request fails with a CORS error, but only surfaces a generic “fetch has failed” exception back to user code.

Note: This seems to be different behaviour than what you see with ordinary MVC using a form to submit a POST request:

e.g from the ExternalLogin.cshtml in identity:

 <form id="external-account" asp-page="./ExternalLogin" asp-route-returnUrl="@Model.ReturnUrl" method="post" class="form-horizontal">
                        <div>
                            <p>
                                @foreach (var provider in Model.ExternalLogins)
                                {
                                    <button type="submit" class="btn btn-primary" name="provider" value="@provider.Name" title="Log in using your @provider.DisplayName account">@provider.DisplayName</button>
                                }
                            </p>
                        </div>
                    </form>

This result of this POST will result in the browser being navigated to the LOCATION returned in the 303 redirect, which doesn’t seem to happen if you use blazor EditForm, and handle the submit via HttpClient to do a POST.

Wondering if it would be more appropriate to either:

  1. Have HttpClient surface the 303 response directly somehow, to allow user code in blazor wasm to handle what to do - i.e navigate vs another http request to the new location?

Or

  1. Keep the existing logic of fetching from the redirected URL but only if its LOCATION has the same Origin as the original request (as then same CORS policies would likely apply). If the redirect is to a LOCATION completely external to the original origin, don’t assume a fetch is ok, and perhaps perform a Navigate(reload: true) ?

To Reproduce

As per above, do a POST request from blazor wasm, and have the server return a 302 with a redirect to an external URL that prevents CORS requests.

Exceptions (if any)

Further technical details

  • ASP.NET Core version
  • Include the output of dotnet --info
  • The IDE (VS / VS Code/ VS4Mac) you’re running on, and it’s version

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 20 (10 by maintainers)

Most upvoted comments

You should be able to configure the follow behavior on HttpRequestMessage:

requestMessage.SetBrowserRequestOption("redirect", "manual");
+1
pranavkm on Jul 9, 2020
Read more comments on GitHub
← runtime: [wasm] AOT: `System.Globalization.Calendars.Hybrid.WASM.Tests` and `System.Globalization.Hybrid.WASM.Tests` getting terminated
runtime: [wasm] Blazor/AOT crashing with preview1 - `Assertion at /__w/1/s/src/mono/mono/mini/aot-runtime.c:2443` →