Why are CORS requests failing in Microsoft Edge but working in other browsers?

16

I'm using jQuery to send cross origin ajax requests and they're working fine in IE11, Chrome and Firefox but they fail in Edge with the following error:

SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

What's interesting is that I used Fiddler to try to figure out what was going on and when Fiddler is running and capturing requests everything works fine. As soon as I close Fiddler or pause capture it fails again.

The site is running on my local machine (webpack-dev-server) making requests across the local network to a WebAPI service.

My hosts file is set up like this:

127.0.0.1   local.myapp.test
192.168.0.111   api.myapp.test

It shouldn't be a problem in production as the site and API will be hosted in the same place but it's invaluable for development and testing.


Update:

Thanks to Eric Law on the Telerik forums I now know why it was behaving differently with Fiddler enabled - Edge was switching to Local Intranet zone because of the proxy settings change Fiddler makes and the intranet zone has a lower security level.

There are a few possibilities; without exact details of your configuration, we're just shooting in the dark.

One possibility is that your computer is configured with an Intranet zone and that Intranet zone is dependent on a proxy configuration script: http://blogs.msdn.com/b/ieinternals/archive/2012/06/05/the-local-intranet-security-zone.aspx. When Fiddler is running, the proxy settings are pointed at Fiddler itself.

I'm going to bump the Local intranet zone security level up to Medium-High to match the Internet zone and then use Fiddler to try to work out why Edge is upset about the CORS request.

cors
fiddler
microsoft-edge
asked on Stack Overflow Feb 3, 2016 by Jerome • edited Apr 22, 2021 by TylerH

4 Answers

3

I'll include below, verbatim, the answers that Eric Lawrence (creator of Fiddler) kindly provided on the Fiddler forum:

One possibility is that your computer is configured with an Intranet zone and that Intranet zone is dependent on a proxy configuration script: http://blogs.msdn.com/b/ieinternals/archive/2012/06/05/the-local-intranet-security-zone.aspx. When Fiddler is running, the proxy settings are pointed at Fiddler itself.

... there's another factor at work here if you're using an Intranet site as the target of an XHR from a site in the Internet zone.

Edge runs in Enhanced Protected Mode (AppContainer). That has a feature which blocks access to Private Network Resources from Internet-Zone processes. See the "Private Network resources" section of http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx for more details.

I added local.myapp.test (the URL I'm running my SPA from) to the Local Intranet zone in Internet Options and now Edge is happy without the need for Fiddler.

answered on Stack Overflow Feb 8, 2016 by Jerome • edited Jun 20, 2020 by Community
3

I came across this question, and after trying several options, what worked for me was removing the domain I am working from all the Zone site entries. Using local.myapp.test as an example, I checked for any "anysubdomain".myapp.test, entries and removed them from all zones, including all sub domains or wild card entries.

In Internet Options (IE 11) , select security tab, and in "Local intranet" click "sites" then "Advanced" and removed relevant domain references in there.

In "Trusted sites" click "sites" and removed relevant entries from the list in there

answered on Stack Overflow Jul 22, 2016 by Dai Bok
1

In about:flags inside of Edge make sure that "Allow localhost loopback (this might put your device at risk) " is checked.

answered on Stack Overflow Feb 4, 2016 by Martin Beeby
1

I came across this 'issue' recently and the solution is to go to edge://flags/ (just type it inside of your search bar). After that, do a search for CORS and soon you'll be presented with Block insecure private network requests flag. All you have to do is to select disable and that's it.

answered on Stack Overflow Apr 22, 2021 by Dzenis H.

User contributions licensed under CC BY-SA 3.0