Which browsers allow cross domain ajax calls with Access-Control-Allow-Origin: *?
Here's one reference suggesting that support in modern browsers is reasonable (but see the note at the end of this answer), assuming client-side code handles the IE issue on purpose. (IE8 and IE9 support CORS, but not via XMLHttpRequest —you have to use XDomainRequest instead, and it's worth noting that neither jQuery nor Prototype does that for you in their ajax wrappers — I don't know about other libraries. IE10 finally gets it right.) That page says, in essence, that CORS is supported in the desktop versions of:
- IE8+ (via
XDomainRequest), IE10+ (properly) - Firefox 3.6+
- Safari 4.0+
- Chrome 6+
- Opera 12.1+
...as well as
- iOS Safari 3.2+
- Android browser 2.1+
You have to ask yourself what your target market is and whether they're likely to still be using older versions of IE, because it matters quite a lot who you're targeting. But overall, you still (for the moment) probably want to look at a JSONP interface — even in the U.S. mostly-home market, IE6+IE7 = about 20% of the users. I don't know many sites that can just ignore a fifth of the market. :-) And if you look at corporate users, or users in Asia or Africa or Central America, that number goes up markedly. The foregoing was true in 2010. Here in 2013, China is really the only holdout using IE6 (>24% there). Worldwide, IE6 and IE7 users have moved on to IE8 and IE9, and even big corporate and government users have finally "got it" about the security risks. IE8 will be with us for a while (as that's has high as IE goes on Windows XP), but you can bet the nearly 20% using IE9 will be on IE10 soon.
Related videos on Youtube
06 : 06
10 : 54
12 : 35
12 : 34
![CORS Error & Solutions In A Nutshell [Cross Origin Resource Sharing]](https://i.ytimg.com/vi/gPzMRoPDrFk/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCL9ZbwLoTEYnPYQFHRmL1ZdqSvVg)
04 : 07
10 : 01
17 : 59
05 : 02
Chad DeShon
Updated on May 11, 2022Comments
-
Chad DeShon almost 2 years
Which browsers allow cross domain ajax calls with
Access-Control-Allow-Origin: *? I am setting a REST service and trying to decide if I need to support JSONP to allow cross domain javascript access or if it is good enough to set the Access-Control-Allow-Origin header. -
Marcel Korpel over 13 yearsPity I cannot vote twice (once for the support table, once for the warning against minimizing the number of IE 6(/7) users).
-
T.J. Crowder about 12 yearsThe good news is that the figures related to the last paragraph are now plummeting quite quickly. IE6 in the U.S. market is now under 1%; I don't have a figure for IE7 because NetApplications is now charging (understandably!) for their geographic filter. But IE7 worldwide has only about two-thirds of IE6's market share, so for the U.S. home market, we're probably there. Oddly, Opera 11 still doesn't support CORS, but 12 supposedly will. -
Rebs over 8 yearsThis is correct. Many browsers will simply ignore
Access-Control-Allow-Originif it is set to the*wildcard.
