Internet Explorer 11 does not add the Origin header on a CORS request?

Question

My issue depends on a couple of assumptions I hold true.

Assumption nr 1: The Origin Header

The Origin header is required by the browser to be

Answer 1

Internet Explorer's definition of the "same origin" differs to the other browsers. See the IE Exceptions section of the MDN documentation on the same-origin policy:

Internet Explorer has two major exceptions when it comes to same origin policy:

• Trust Zones: if both domains are in highly trusted zone e.g, corporate domains, then the same origin limitations are not applied
• Port: IE doesn't include port into Same Origin components, therefore http://company.com:81/index.html and http://company.com/index.html are considered from same origin and no restrictions are applied.

Therefore if your cross-origin request occurs across different ports, or within one of IE's trusted zones, IE will not treat the request as cross-origin and will see no need to add the Origin: header.