Allow redirects for requests that require preflight.

third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async.html

 <p>Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.</p>
 
 <pre id="console"></pre>
 <script>
 if (window.testRunner) {
     testRunner.dumpAsText();
     testRunner.waitUntilDone();
 }
 
 function log(message)
@@ skipping 31 matching lines @@
 
 var tests = [
 // 1) Test simple cross origin requests that receive redirects.
 
 // Receives a redirect response without CORS headers. The redirect response fails the access check.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi",
   withoutCredentials, noCustomHeader, fails],
 
 // Receives a redirect response with CORS headers. The redirect response passes the access check and the resource response
 // passes the access check.
-// FIXME: this test fails because the redirect is vetoed. There are continued bugs with redirects when the original
-// request was cross-origin.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
-  access-control-allow-origin=http://localhost:8000",
+  access-control-allow-origin=http://127.0.0.1:8000",

[yhirano, 2016/11/16 08:20:28]

Hm, the document origin is http://127.0.0.1:8000 and the setting has been wrong
for a long time, right? If so, should we replace all localhost:8000 in ACAO
headers as well?

[Jack Bates, 2016/11/20 18:51:11]

Done.

   withoutCredentials, noCustomHeader, succeeds],
 
 // Receives a redirect response with a URL containing the userinfo production.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
   access-control-allow-origin=http://localhost:8000",
   withoutCredentials, noCustomHeader, fails],
 
 // Receives a redirect response with a URL with an unsupported scheme.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&\
   access-control-allow-origin=http://localhost:8000",
   withoutCredentials, noCustomHeader, fails],
 
 // 2) Test preflighted cross origin requests that receive redirects.
 
 // Receives a redirect response to the preflight request and fails.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&\
   url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
   access-control-allow-origin=*",
   withoutCredentials, addCustomHeader, fails],
 
 // Successful preflight and receives a redirect response to the actual request and fails.
 ["http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false&\
   url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&\
   access-control-allow-origin=*&\
   access-control-allow-headers=x-webkit",
-  withoutCredentials, addCustomHeader, fails],
+  withoutCredentials, addCustomHeader, succeeds],
 
 // 3) Test same origin requests with a custom header that receive a same origin redirect.
 ["resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt",
   withoutCredentials, addCustomHeader, succeeds],
 
 ]
 
 var currentTest = 0;
 
 function nextTest() {
     if (currentTest < tests.length)
         runTestAsync.apply(null, tests[currentTest++]);
     else if (window.testRunner)
         testRunner.notifyDone();
 }
 
 nextTest();
 </script>