Internet Explorer 11 does not add the Origin header on a CORS request?

internet-explorer xmlhttprequest cross-domain cors
41,083

Solution 1

Internet Explorer's definition of the "same origin" differs to the other browsers. See the IE Exceptions section of the MDN documentation on the same-origin policy:

Internet Explorer has two major exceptions when it comes to same origin policy:

  • Trust Zones: if both domains are in highly trusted zone e.g, corporate domains, then the same origin limitations are not applied
  • Port: IE doesn't include port into Same Origin components, therefore http://company.com:81/index.html and http://company.com/index.html are considered from same origin and no restrictions are applied.

Therefore if your cross-origin request occurs across different ports, or within one of IE's trusted zones, IE will not treat the request as cross-origin and will see no need to add the Origin: header.

Solution 2

I just happened to stumble across a reported bug over at a Microsoft associated site that clearly describes my issue. Microsoft staff quickly concluded that:

There is insufficient information to reproduce the behavior you are observing.

Since their first comment and their first attempt (?), they have actually managed to run two different web servers on different ports and reproduced the problem. Latest comment from Microsoft says that they "consider targetting a fix in the future".

Share:
41,083
Martin Andersson
Author by

Martin Andersson

No limits.

Updated on May 24, 2020

Comments

  • Martin Andersson
    Martin Andersson about 4 years

    My issue depends on a couple of assumptions I hold true.

    Assumption nr 1: The Origin Header

    The Origin header is required by the browser to be put on a CORS (Cross Origin Resource Sharing) request.

    Wikipedia:

    To initiate a cross-origin request, a browser sends the request with an Origin HTTP header.

    HTML5 Rocks:

    The first thing to note is that a valid CORS request always contains an Origin header. This Origin header is added by the browser, and can not be controlled by the user.

    W3:

    If the request URL origin is not same origin with the original URL origin, set source origin to a globally unique identifier [..].

    Assumption nr 2: Internet Explorer 10+ support CORS

    See caniuse.com and use google for a couple of hundreds more sources of different kinds claiming the support.

    Assumption nr 3: Different ports is a different origin

    Resources using different port numbers is considered to be of different origins:

    Wikipedia

    Two resources are considered to be of the same origin if and only if all these values are exactly the same. [..] Failure - Same protocol and host but different port.

    Mozilla Developer Network

    Two pages have the same origin if the protocol, port (if one is specified), and host are the same for both pages.

    The problem:

    Internet Explorer 11 does not send the Origin header when making a CORS request to the same domain "localhost" but using different ports (from 8411 to 8080). Opera, FireFox and Chrome do send the Origin header. Yet everybody keeps saying CORS is supported in Internet Explorer 10+?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

IE https CORS XHR request fails with Script7002: XMLHttpRequest: Network Error 0x2eff
Best method: Access-Control-Allow-Origin Multiple Origin Domains
Origin is not allowed by Access-Control-Allow-Origin
Access-Control-Allow-Origin Multiple Origin Domains?
Why do browser APIs restrict cross-domain requests?
XMLHttpRequest CORS request failing, even with Access-Control-Allow-Origin header
Enabling CORS (Cross Origin Request) in Django
THREE.js: Cross-origin image load denied by Cross-Origin Resource Sharing policy
Ajax Asynchronous in IE - Error "The Data Necessary to Complete This Operation is Not Yet Available"
XMLHttpRequest cannot load. Unloaded resources show caution: Provisional headers are shown