Why does my redirected CORS request fail?

Question

My problem is with a angularjs $http call on my app running at localhost:8080

var url "https://api.acme.com/RX/v1/user";
$http.get(url).success(function (data) {
    alert('yay');
$scope.user = data;
});

The first request succeeds with the following response recorded by Chrome:

Status Code:302 Found
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://localhost:8080
Location:https://login.acme.com/cas/login?service=https%3A%2F%2Fapi.acme.com%2FRX%2Fv1%2Fuser

This results in the browser making a second GET request to the redirect location:

https://login.acme.com/cas/login?service=https%3A%2F%2Fapi.acme.com%2FRX%2Fv1%2Fuser

This second request fails with the following error reported in Chrome:

XMLHttpRequest cannot load https://login.acme.com/cas/login?service=https%3A%2F%2Fapi.acme.com%2FRX%2Fv1%2Fuser. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

So I have a CORS request from an origin to a url that allows the request that is being redirected to another url that is also configured to allow the request. But the redirect request is failing. Should I expect this to work?

Note, both api.acme.com and login.acme.com are configured to allow all origins using

Access-Control-Allow-Origin: *

Answer 1

see step 6 of this section(7.1.7): http://www.w3.org/TR/cors/#redirect-steps

more discussion could be found here: https://code.google.com/p/chromium/issues/detail?id=154967

Unfortunately the convention of transmitting the string "null" makes it seem like it could be a bug; I thought so myself until I tracked this down :)