What are the security concerns in allowing javascript to know more about a redirect?

78 views Asked by At

This query originated from me wanting javascript from a chrome extension to know where a url redirects to without following it. I wanted to force the expanded url to use https if it matched a list of domains.

There is no technical reason javascript can't know the redirect location before performing the redirect.

I read here that xmlhttprequest spec specifically states redirects should be transparent. The answer poster supposes this was because at the time link shortening wasn't prevalent and it was the simplest option.

The next answer mentions the fetch API. I was excited to learn it could "manually" handle redirects, but quickly was disappointed that, because of nebulous security concerns, when manually handling a redirect you're given a highly-filtered "opaqueredirect" object that doesn't give you the redirect destination. This is intentional.

What are the security concerns? Javascript can easily query any of dozens of third party services to get the redirect location and already can change every link on the page, why shouldn't it be able to cancel a redirect while knowing where it would have gone? It would be helpful to have a concrete example of a "bad thing" that is made possible by allowing this.

0

There are 0 answers