More Odd Firefox Cache Manifest Behavior: Redirect to Outside Domain Results in 404 Failure

Question

I have an HTML5/Javascript (PHP/MySQL on the server) app with a cache manifest and it runs fine on almost all mobile and desktop browsers except for Firefox.

When I remove the cache manifest, it works fine in Firefox. Therefore, it's something odd with the cache manifest in Firefox that I can't figure out. It's loading a file from the cache, even though the file sends a Cache-Control: no-store, no-cache header.

The file handles the OAuth dance for getting a LinkedIn access token and follows these steps:

1. The app calls the file via Javascript using window.location.replace('file.php')
2. file.php loads and is redirected to file.php?param=initiate
3. file.php?param=initiate loads, gets a request token from LinkedIn, then redirects to the LinkedIn authorization page, then gets redirected to file.php?param=initiate&otherparameters
4. file.php?param=initiate&otherparameters loads, otherparameters is used to get an access token from LinkedIn, then reloads the app because now it has access.

However, on Firefox (16.0.2 on Windows 7), I get the following:

1. The app calls the file via Javascript using window.location.replace('file.php')
2. file.php loads and is redirected to file.php?param=initiate (FireBug shows Status 302 Found and the Response Headers show the location /file.php?param=initiate)
3. file.php?param=initiate loads, gets a request token from LinkedIn, but does NOT redirect to the LinkedIn authorization page: it shows the 404 page (FireBug shows Status 302 Found and the Response Headers show the location https:linkedin.com/authenication link, but Firefox does not go to the LinkedIn page, it makes another GET request for file.php?param=initiate and loads it from the cache: Status 200 OK (BF Cache) and shows the 404 page).

file.php is NOT in the cache manifest.

Basically it does not go to the Location in the response header from step 3 that should take it to the LinkedIn authorization page, but I can't figure out why not.

Any ideas on how to fix this?

If you want to reproduce this problem, here's a link to a test event. Try to send a LinkedIn connection request and watch Firebug. All the LinkedIn profiles for this event (except mine) are dummy profiles, so don't worry about sending a LinkedIn connection request to a random stranger. You have to register first with your e-mail to get an activation link, but you can use a disposable e-mail address if you want to.

Some things I've tried:

1. No cache manifest: this fixes it, but I need offline functionality
2. Sending headers with various permutations of no-store, no-cache, must-ravalidate, past Expires date, etc.
3. Reducing the number of entries in the cache manifest
4. Various combinations of SETTINGS: prefer-online, NETWORK: *, NETWORK: https://*, etc.

Answer 1

I solved this problem by re-writing my LinkedIn/OAuth library so that it does everything via ajax instead of sending the Location header via PHP.

After much frustration I figured out why this problem was happening, so hopefully this will help others who face a similar predicament.

It turns out the cache manifest does not allow redirects to outside domains (this is probably documented somewhere, but it didn't show up for me when I searched for a solution).

Part of the problem was that I didn't know the redirect was causing the problem. I thought it was just the weirdness of the cache manifest. After all, it worked fine on Chrome and Safari and I didn't get any useful debugging info from Firebug.

Here's a useful article on the gotchas of cache manifest (this issue is listed as Gotcha #8).

Here's a link to the HTML Offline Spec (this issue appears to be listed in section 6.7.6(4), but the document is so opaque I can't event tell whether that's really what it's referring to).