CORS request failure with jQuery using withCredentials and client certificates

I can't figure out why this CORS request is failing to return data.

I'm using Catalyst MVC on the backend, Firefox 24.0 as a browser. jQuery 1.9.1. Please note the following:

1. otherdomain.com requires a client certificate.
2. hitting the resource directly returns expected data. (https://otherdomain.com/resource/1) returns proper data.

I have a simple page that tests the request:

<script type='text/javascript'>
                function get_data() {
                        console.log("running");
                        $.ajax({
                                url: "https://otherdomain.com/resource/1",
                                dataType: 'json',
                                type: 'GET',
                                xhrFields: {
                                        'withCredentials': true
                                },
                                crossDomain: true
                        }).success(function(data) {
                                console.log(data)
                                $('#output').html(data);
                        }).error(function(xhr, status, error) {
                                alert("error");
                                console.log(xhr);
                        });
                }

    $(document).ready(function() {
            get_data();
    });
    </script>

</script>

Here are my request headers:

GET /resource/1 HTTP/1.1
Host: otherdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://mydomain.com/test.html
Origin: https://mydomain.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Here are my response headers. (copy of view source from firebug console) I see on my catalyst debug output that the request is served as 200 OK and the content is sent.

HTTP/1.1 200 OK
Date: Mon, 28 Oct 2013 19:31:08 GMT
Server: HTTP::Server::PSGI
Vary: Content-Type
Content-Length: 653
Content-Type: application/json
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1800
X-Catalyst: 5.90030
Via: 1.1 otherdomain.com

And the error is thrown from the ajax call:

readyState: 0
responseText: ""
status: 0
statusText: "error"

firebug shows the response body as empty from the request event though it's a 200 OK.

I thought that when using 'withCredentials' a pre-flight request was required but I don't see an OPTIONS being sent via firebug.

Also, i can see no Access-Control-Request-Header being added by my request, so I'm not returning any Access-Control-Allow-Headers from the server.

Now, the frontend of Catalyst is Apache2, and I'm using proxypass in a virtual host to send the request to catalyst on localhost:8080. I'm not sure if that has any bearing but thought it might be important. It should be transparent to the browser though.

Thanks for any help!

gah. I had Access-Control-Allow-Origin: <origin> set on one iteration of my program, but not with the Allow-Control-Allow-Credentials: true. I moved it back to use * for Origin when I added Allow-Credentials. I wasn't aware of that requirement. Thanks much for the pointer! Working now.

Note that it is not true that GET requests are never preflighted. GET requests can be preflighted if the request contains custom headers.

I think Allow-Control-Allow-Credentials should be Access-Control-Allow-Credentials (this has solved a CORS error for me when trying to supply credentials)