res.redirect behaves differently if the request type is xhr/Redirect (vs document)

[stefango]

Usage

if(sessionTimeout) {
  return res.redirect("https://sso-host.com/?target=https://app.com")
}
next()

if the request type is xhr/Redirect

this didn't redirect user to the target page, only triggered two more endpoints(the second and the third) calling. wondering if we can do anything else in expressjs server side to redirect user to the target page except for adding extra codes in client side(e.g. use window.location.href = response.headers.location in axios response interceptors)

if the request type is document

this redirect user to the target page

[krzysdz]

You can't do anything more on the server. If you perform a fetch() or XHR then the request is handled separately from document navigation. If a redirect is received in response to such request then only the request is redirected.

Let's say that you have a page A which fetches some information client-side from resource B (http://b.b/b). It's an old page and uses HTTP instead of HTTPS. Then someone managing B decides to upgrade to HTTPS and always issues redirects to the same resource, but using HTTPS (https://b.b/b) when asked over HTTP.
Now, what will happen is that when a user loads A it makes a request to B that gets redirected by the server to use HTTPS, they will still be on A which will load the data from B, just using secure protocol with a redirect that is invisible to them.
If such redirect could cause navigation, then instead suddenly the user would end up on https://b.b/b, which is e.g. a JSON and not the page they wanted to see.

Such "non-navigation request causing navigation on redirect", could also be used for malicious purposes. When responding to some requests a malicious API could, instead of responding with real/fake data, cause a navigation to a phising page.

If you want to cause a navigation, then the best way, would be returining a special response with URL that is understood by the client (JS on the website) as requiring navigation. You can also do this by instructing fetch() or axios or whatever you use not to follow redirects and then manually handling 302 by forcing navigation (window.location.href = ...), but this may be a problem later when redesigning API and redirecting old endpoints to new ones (in case you forget to change them on client), which you would want to happen transparently to the user in the background, or you'd end up with user seeing JSON again.