Allow redirect to external sites if CORS isn't enabled#1891
Allow redirect to external sites if CORS isn't enabled#1891
Conversation
| // If the send method throws an exception, redirect to the form action URL. | ||
| // This can happen for example if redirecting to an external site, which doesn't have CORS enabled, | ||
| // so we can't use Ajax. | ||
| window.location.href = url; |
There was a problem hiding this comment.
This won't work for forms that are submitted via POST. I don't think this can be really fixed at all except by disabling the JS form submission in those forms
There was a problem hiding this comment.
Ok, I'll share my example code soon to show my use case
There was a problem hiding this comment.
Here's the example: amitaibu/ihp-cms-starter#35
If you navigate to http://localhost:8000 without the PR it will result with console error. With the PR you'll be redirected to the repo of one of the best Haskell frameworks! 😄
|
@copilot can you resolve conflicts with |
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix issue #1889 by allowing form submissions to redirect to external sites when CORS is not enabled. The implementation adds a try-catch block around the request.send() call to catch potential exceptions and fallback to a standard page redirect.
Key Changes:
- Wraps
request.send()in a try-catch block to handle potential errors - Falls back to
window.location.hrefredirect if an exception is caught
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // If the send method throws an exception, redirect to the form action URL. | ||
| // This can happen for example if redirecting to an external site, which doesn't have CORS enabled, | ||
| // so we can't use Ajax. | ||
| window.location.href = url; |
There was a problem hiding this comment.
The variable url is only defined in the GET method branch (line 279), but this catch block can be reached in both GET and POST cases. For POST requests, url will be undefined, causing a potential error. Use formAction instead, which is available in both branches.
| window.location.href = url; | |
| window.location.href = formAction; |
| try { | ||
| request.send(parameters.join('&')); | ||
| } catch (e) { | ||
| // If the send method throws an exception, redirect to the form action URL. | ||
| // This can happen for example if redirecting to an external site, which doesn't have CORS enabled, | ||
| // so we can't use Ajax. | ||
| window.location.href = url; |
There was a problem hiding this comment.
XMLHttpRequest.send() typically does not throw exceptions for CORS errors. CORS failures are asynchronous and trigger the 'onerror' event handler instead. The try-catch block may not catch CORS-related issues as intended. Consider adding a request.onerror handler or a timeout mechanism to detect when AJAX submission fails and fallback to a regular form submission.
| try { | |
| request.send(parameters.join('&')); | |
| } catch (e) { | |
| // If the send method throws an exception, redirect to the form action URL. | |
| // This can happen for example if redirecting to an external site, which doesn't have CORS enabled, | |
| // so we can't use Ajax. | |
| window.location.href = url; | |
| // Fallback handler to ensure redirect only happens once | |
| var hasFallenBack = false; | |
| function fallbackToRegularSubmission() { | |
| if (!hasFallenBack) { | |
| hasFallenBack = true; | |
| window.location.href = url; | |
| } | |
| } | |
| request.onerror = fallbackToRegularSubmission; | |
| request.ontimeout = fallbackToRegularSubmission; | |
| // Set a timeout (e.g., 10 seconds) | |
| request.timeout = 10000; | |
| try { | |
| request.send(parameters.join('&')); | |
| } catch (e) { | |
| // If the send method throws an exception, redirect to the form action URL. | |
| // This can happen for example if redirecting to an external site, which doesn't have CORS enabled, | |
| // so we can't use Ajax. | |
| fallbackToRegularSubmission(); |
fixes #1889