I've found several similar threads. However, none have yet seemed to work.
In our current ecosystem we've got three servers for our http-apis. Two for test and one for production.
Recently we've been releasing client-side web applications using AngularJS. Since the client apps is for our customers, the communication to our api is cross domain. The web apps operates properly in Chrome, safari and firefox an all apis. However, for the third api Internet Explorer(11) refuses to send the preflight(options) request, which disables the client to communicate with the api. In the other two apis, the web app works fine in IE.
The apis would be the following:
https://api.doma.in/accesstoken -- Works in IE11 https://api2.doma.in/accesstoken -- Works in IE11 https://api3.doma.in/accesstoken -- Does not send preflight in IE11.
What is to be noticed is that the three servers are more or less cloned, so the setup won't differ much.
However, the error I'm getting in the error messages I'm getting is the following:
SEC7118: XMLHttpRequest https://api3.doma.in/accesstoken required CORS (Cross Origin Resource Sharing). SEC7119: XMLHttpRequest https://api3.doma.in/accesstoken required CORS Preflight. SCRIPT7002: XMLHttpRequest Network error 0x80070005, Access Denied.
In the network log it only shows that the preflight request got cancelled, hence no request or response headers.
I was able to identify the problem using openssl. By running
$ openssl s_client -connect <url/domain>:443 -state I identified an error with ssl.
Api 1 and 2 showed the following in the result from openssl:
SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A
On api 3(the failing api-server) the result showed two additional operations:
SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server certificate request A //This SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A //This SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A
Yet I have not resolved this issue on the server. In the mean time I'm using an xdomain "hack"(https://github.com/jpillora/xdomain). It's really easy to setup and works fine.
To add more details of the root cause and save anyone else looking into this many hours / days.
In my instance IE 11 was following the proper spec and not sending the client certificate when making the CORS Preflight request. Can read more about that here
This part of the spec is ignored in Chrome and other browsers and they DO send the client certificate.
To easily validate if this is your problem download and install fiddler, configure it to support HTTPs and test your broken CORS again, Mine worked with Fiddler but didnt when connecting directly to the remote server.
User contributions licensed under CC BY-SA 3.0