Please help test a CORS issue in Firefox jQuery ajax when 401

Question

this is driving me nutters.

jQuery 1.4.2, windows XP sp3

Here is my test.

Load firefox 3.5+

http://plungjan.name/test/testcors.html

w

Answer 1

These are the conditions to be met to make CORS working with secured services:

• Service response should contain header Access-Control-Allow-Credentials: true (see Requests with credentials and Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true).
• Service response header Access-Control-Allow-Origin should not be *. The idea is to return the value passed by client in header Origin (see examples in this post).
• According to specification, OPTIONS method should return HTTP code 200, thus it cannot be secured (see The CORS).
• For methods PUT/POST that need to pass certain request headers to service (like Content-Type or Accept), these headers need to be listed in Access-Control-Allow-Headers (see jQuery AJAX fails to work when headers are specified)
• JavaScript should set this XMLHttpRequest property: xhr.withCredentials = true; (as answered by Kirby)

Altogether configuration for Apache:

# Static content:
SetEnvIf      Request_URI     ".*"                            no-jk
# RESTful service:
SetEnvIf      Request_URI     "^/backend/"                    !no-jk
SetEnvIf      Request_Method  "OPTIONS"                       no-jk
# Fallback value:
SetEnv        http_origin     "*"
SetEnvIf      Origin          "^https?://(localhost|.*\.myconpany\.org)(:[0-9]+)?$" http_origin=$0

Header        set Access-Control-Allow-Credentials    "true"
Header        set Access-Control-Allow-Origin         "%{http_origin}e"
Header        set Access-Control-Allow-Methods        "GET,POST,PUT,DELETE"
Header        set Access-Control-Allow-Headers        "Content-Type, Accept"

JkMount /* loadbalancer