Internet Explorer Cross Domain: Not sending preflight

0

I've found several similar threads. However, none have yet seemed to work.

Problem

In our current ecosystem we've got three servers for our http-apis. Two for test and one for production.

Recently we've been releasing client-side web applications using AngularJS. Since the client apps is for our customers, the communication to our api is cross domain. The web apps operates properly in Chrome, safari and firefox an all apis. However, for the third api Internet Explorer(11) refuses to send the preflight(options) request, which disables the client to communicate with the api. In the other two apis, the web app works fine in IE.

The apis would be the following:

https://api.doma.in/accesstoken -- Works in IE11
https://api2.doma.in/accesstoken -- Works in IE11
https://api3.doma.in/accesstoken -- Does not send preflight in IE11.

What is to be noticed is that the three servers are more or less cloned, so the setup won't differ much.

However, the error I'm getting in the error messages I'm getting is the following:

SEC7118: XMLHttpRequest https://api3.doma.in/accesstoken required CORS (Cross Origin Resource Sharing).
SEC7119: XMLHttpRequest https://api3.doma.in/accesstoken required CORS Preflight.
SCRIPT7002: XMLHttpRequest Network error 0x80070005, Access Denied.

In the network log it only shows that the preflight request got cancelled, hence no request or response headers.

javascript
angularjs
internet-explorer
ssl
internet-explorer-11
asked on Stack Overflow Sep 29, 2015 by cbass

2 Answers

1

I was able to identify the problem using openssl. By running $ openssl s_client -connect <url/domain>:443 -state I identified an error with ssl.

Api 1 and 2 showed the following in the result from openssl:

SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A

On api 3(the failing api-server) the result showed two additional operations:

SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A //This
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A //This
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A 

Yet I have not resolved this issue on the server. In the mean time I'm using an xdomain "hack"(https://github.com/jpillora/xdomain). It's really easy to setup and works fine.

answered on Stack Overflow Oct 4, 2015 by cbass
1

To add more details of the root cause and save anyone else looking into this many hours / days.

In my instance IE 11 was following the proper spec and not sending the client certificate when making the CORS Preflight request. Can read more about that here

This part of the spec is ignored in Chrome and other browsers and they DO send the client certificate.

In my instance we were using Pivotal Cloud Foundry and had to make a config change to ensure the connection isnt just rejected. enter image description here

To easily validate if this is your problem download and install fiddler, configure it to support HTTPs and test your broken CORS again, Mine worked with Fiddler but didnt when connecting directly to the remote server.

answered on Stack Overflow May 2, 2019 by Ettienne

User contributions licensed under CC BY-SA 3.0