MSIE 11, sandboxed iframe, CORS is supported and still a cross-origin error

0

MSIE 11 on Win7. A script in a sandboxed iframe is performing a cross-origin request using jQuery's $.get(). The server supports the CORS headers; it returns the following:

Access-Control-Allow-Origin: http://myserver:8080
Access-Control-Allow-Methods: GET

The value of Access-Control-Allow-Origin is initialized to the value of the request's Origin header.

MSIE performs the request, but then throws an error. The console shows two error messages:

SEC7118: XMLHttpRequest for http://anotherserver/endpoint required Cross Origin Resource Sharing (CORS).
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

Meanwhile, in the Network tab of the dev tools I plainly can see the request, with the CORS headers, and with code 200.

The calling code goes:

$.support.cors = true;
$.get("http://anotherserver/endpoint", OnSuccess).fail(OnError);  

OnError gets called in the script. The effect of the successful API can be plainly observed elsewhere.

The same logic works as expected in Chrome.

What am I missing here?

This is all happening in a corporate environment. MSIE settings are driven by group policy. The site is in the Local Intranet zone, security for the zone is set to Medium-Low. Could this be an effect of a group policy setting?

EDIT: the request headers are:

Referer: http://myserver:8080/tfs/_apis/public/gallery/publisher/acme/extension/myext/3.11.0/assetbyname/web/main.html
Accept: */*
Accept-Language: en-US
Origin: http://myserver:8080
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Host: anotherserver
Connection: Keep-Alive
Cache-Control: no-cache

And the response headers are:

Cache-Control: private
Content-Type: application/json
Server: Microsoft-IIS/8.5
Access-Control-Allow-Origin: http://myserver:8080
Access-Control-Allow-Methods: GET
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jan 2018 16:26:10 GMT
Content-Length: 71

EDIT: reproduced on a clean sample. ASP.net project.

Default.htm:

<!DOCTYPE html>
<html>
<body>
    <iframe sandbox="allow-forms allow-modals allow-pointer-lock allow-popups allow-scripts allow-top-navigation" src="ifr.htm"></iframe>
</body>
</html>

Ifr.htm:

<!DOCTYPE html>
<html>
<head>
    <script type="text/javascript" src="jquery-3.3.1.min.js"></script>
    <script type="text/javascript">
        function onl()
        {
            $.get("svc", null, function (d) { alert("Got it!"); });
        }
    </script>
</head>
<body onload="onl();">
</body>
</html>

The portion of Web.config that lists the service endpoint:

<system.webServer>
    <handlers>
        <add path="svc" name="Svc" verb="GET,OPTIONS" type="wtest.Svc" resourceType="Unspecified"/>
    </handlers>
</system.webServer>

wtest.Svc:

public class Svc : IHttpHandler
{
    public bool IsReusable => true;

    public void ProcessRequest(HttpContext Ctxt)
    {
        Ctxt.Response.ContentType = "application/json";

        string s;
        if ((s = Ctxt.Request.Headers.Get("Origin")) != null)
            Ctxt.Response.AddHeader("Access-Control-Allow-Origin", s);
        Ctxt.Response.AddHeader("Access-Control-Allow-Methods", "GET,OPTIONS");
        Ctxt.Response.AddHeader("Access-Control-Allow-Headers", "Accept,X-Requested-With");
        if (Ctxt.Request.HttpMethod == "OPTIONS")
            Ctxt.Response.StatusCode = 204;
        else
        {
            byte[] b = new UTF8Encoding(false).GetBytes("{\"result\":\"ok\"}");
            Ctxt.Response.OutputStream.Write(b, 0, b.Length);
        }
    }
} 

Works on Chrome, errors out on MSIE. What am I missing?

jquery
internet-explorer
cors
asked on Stack Overflow Dec 29, 2017 by Seva Alekseyev • edited Oct 19, 2018 by Seva Alekseyev

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0