CORS request with IE11

Question

I have a CORS (cross origin resource sharing) request coming from my login page to the application site, on a different URL. I have a simple page I ping to determine if a us

Answer 1

Changing the setting for "Access data sources across domains" to Enabled turns off cross-domain checks in IE and is horrifically unsafe. Instead, you need to ensure that the target 3rd-party resource sends a valid P3P policy that indicates that it's not doing horrible things to the user's privacy.

Answer 2

I had similar problem and found that neither axios or jquery can be made to work with Internet Explorer and the preflight/CORS issue. Only good old XMLhttpRequest worked. Because in pure XMLhttpRequest we can do this:

if (xhttp.readyState == 4 && xhttp.status == 200)

It seems that axios and jquery take into account the status and not the readyState - they somehow interpret that there is a cors problem - and it takes a few ticks to reach readyState == 4 in IE.

Answer 3

Found the issue.

I had a similar problem (using CORS in general, not specifically GWT). It turned out that the browser settings were blocking third-party cookies (IE10 > Internet Options > Privacy > Advanced > Third Party Cookies > Accept). To solve the problem, I checked "Override automatic cookie handling", "Accept" (Third-party Cookies) and "Always allow session cookies."

Andrew answered this question here: CORS doesn't work with cookies in IE10

EDIT: (Now that I know what to search for) This question may yield some help too, if anyone else runs into this issue. Internet Explorer 10 is ignoring XMLHttpRequest 'xhr.withCredentials = true'

Answer 4

IE10 requires the server return a valid P3P policy in addition to CORS headers for cross domain requests. Here is sample php code for returning a P3P header from the server.

  $szOrigin = $_SERVER['HTTP_ORIGIN'];
  if ($szOrigin != null)
  {
        header("Access-Control-Allow-Origin: $szOrigin");
        header("Access-Control-Allow-Credentials: true");
        header("P3P: CP=\"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI\"");
  }

Answer 5

We had the problem that, except every other browser, the IE11 send Access-Control-Request-Headers: accept with the request, so "accept" had to be added to the allowedHeaders cors configuration, because it seems not to be part of the default spring cors configuration.

Answer 6

After a lot of digging i found that the page that i'm pinging using ajax is on the internet zone while my current page in on the intranet zone.

IE 11 has the "Protected Mode" enabled for internet sites and when this is enabled cookies are not being sent to the site that i'm pinging even if they belong to that domain.

Adding the page to the trusted sites, or disabling "Protected Mode" solved the problem.

Note that this problem does not happen when both sites are in the internet zone even when "Protected Mode" is enabled.