MSIE 11 on Win7. A script in a sandboxed iframe is performing a cross-origin request using jQuery's $.get()
. The server supports the CORS headers; it returns the following:
Access-Control-Allow-Origin: http://myserver:8080
Access-Control-Allow-Methods: GET
The value of Access-Control-Allow-Origin
is initialized to the value of the request's Origin
header.
MSIE performs the request, but then throws an error. The console shows two error messages:
SEC7118: XMLHttpRequest for http://anotherserver/endpoint required Cross Origin Resource Sharing (CORS).
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.
Meanwhile, in the Network tab of the dev tools I plainly can see the request, with the CORS headers, and with code 200.
The calling code goes:
$.support.cors = true;
$.get("http://anotherserver/endpoint", OnSuccess).fail(OnError);
OnError
gets called in the script. The effect of the successful API can be plainly observed elsewhere.
The same logic works as expected in Chrome.
What am I missing here?
This is all happening in a corporate environment. MSIE settings are driven by group policy. The site is in the Local Intranet zone, security for the zone is set to Medium-Low. Could this be an effect of a group policy setting?
EDIT: the request headers are:
Referer: http://myserver:8080/tfs/_apis/public/gallery/publisher/acme/extension/myext/3.11.0/assetbyname/web/main.html
Accept: */*
Accept-Language: en-US
Origin: http://myserver:8080
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: anotherserver
Connection: Keep-Alive
Cache-Control: no-cache
And the response headers are:
Cache-Control: private
Content-Type: application/json
Server: Microsoft-IIS/8.5
Access-Control-Allow-Origin: http://myserver:8080
Access-Control-Allow-Methods: GET
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jan 2018 16:26:10 GMT
Content-Length: 71
EDIT: reproduced on a clean sample. ASP.net project.
Default.htm:
<!DOCTYPE html>
<html>
<body>
<iframe sandbox="allow-forms allow-modals allow-pointer-lock allow-popups allow-scripts allow-top-navigation" src="ifr.htm"></iframe>
</body>
</html>
Ifr.htm:
<!DOCTYPE html>
<html>
<head>
<script type="text/javascript" src="jquery-3.3.1.min.js"></script>
<script type="text/javascript">
function onl()
{
$.get("svc", null, function (d) { alert("Got it!"); });
}
</script>
</head>
<body onload="onl();">
</body>
</html>
The portion of Web.config that lists the service endpoint:
<system.webServer>
<handlers>
<add path="svc" name="Svc" verb="GET,OPTIONS" type="wtest.Svc" resourceType="Unspecified"/>
</handlers>
</system.webServer>
wtest.Svc:
public class Svc : IHttpHandler
{
public bool IsReusable => true;
public void ProcessRequest(HttpContext Ctxt)
{
Ctxt.Response.ContentType = "application/json";
string s;
if ((s = Ctxt.Request.Headers.Get("Origin")) != null)
Ctxt.Response.AddHeader("Access-Control-Allow-Origin", s);
Ctxt.Response.AddHeader("Access-Control-Allow-Methods", "GET,OPTIONS");
Ctxt.Response.AddHeader("Access-Control-Allow-Headers", "Accept,X-Requested-With");
if (Ctxt.Request.HttpMethod == "OPTIONS")
Ctxt.Response.StatusCode = 204;
else
{
byte[] b = new UTF8Encoding(false).GetBytes("{\"result\":\"ok\"}");
Ctxt.Response.OutputStream.Write(b, 0, b.Length);
}
}
}
Works on Chrome, errors out on MSIE. What am I missing?
User contributions licensed under CC BY-SA 3.0