SEC7118: XMLHttpRequest for /socket.io/1/?t=1370206038749 required Cross Origin Resource Sharing (CORS)

Question

I have a nodejs app on one server running on port 443 (apache listening disabled) with the following node.js packages:

Express: 3.2.1
Socket.io: 0.9.14
Request: 2.21.0
Node: 0.11.1

I then have a drupal site on a second server with the nodejs module enabled. I built a chat which uses the nodejs app on the first mentioned server. All good til now, after much pain I managed to get it all working. All but in IE10. I keep getting the error in IE10's console:

SEC7118: XMLHttpRequest for https://mynodejs.com/socket.io/1/?t=1370206038749
required Cross Origin Resource Sharing (CORS). 

As far as I know, IE10 fully supports CORS. Somehow, the error does not stop the loading of socket.io itself and a websocket is opened. In my node.js app's log, the user is authorised and his channel added. On the site, the user using IE10 can see others, even send messages to others. But he cannot receive messages from other chat users...

I set the node.js app to return the correct headers for basic CORS:

Access-Control-Allow-Origin    https://mydrupalsite.com
Access-Control-Allow-Headers    Origin, X-Requested-With, X-File-Name, Content-Type, Cache-Control
Access-Control-Allow-Credentials    true         //with or without, it makes no difference

I intentionally did not include any code from my node.js app as it's fully working on any other browser. Can anyone tell what's going on? Has anybody succeeded to get a node.js app working on IE10??

Answer 1

AFAIU, SEC7118 is not an error but just a notification. I've googled but didn't find the code reference on any MS site; anyway you can find 7118 messages when CORS works fine for IE10. This document focused on CORS and IE10 clarify what I mean (and it's definitely worth reading): http://blogs.msdn.com/b/ie/archive/2012/02/09/cors-for-xhr-in-ie10.aspx

Anyway, I've found your issue when troubleshooting some sort of nodejs chat (actually, a BOSH backed js chat client) on IE10. In my case turned out that IE10 prepends "NS1:" to some xml attributes when sending requests, breaking things up.

So, you should carefully check your xml payload looking for subtle differences (like the one we found) between IE10 and other (working) browsers. Hope this helps.