Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CORS request with IE11

I have a CORS (cross origin resource sharing) request coming from my login page to the application site, on a different URL. I have a simple page I ping to determine if a user is already logged in, and if so, redirects them. Otherwise I show a login page. I use jQuery.

This works great in safari, chrome, firefox... and not IE (naturally). According to MS, IE 10 and later should support CORS requests with withCredentials

I'm using jquery-2.0.3.min.js

Any ideas why this isn't working in IE11?

EDIT: It appears as though it IS partially working, as it is now returning a value of {"id":false}. This happens every time, meaning that the server is never getting the credentials. I am also posting my is_logged_in page, I am using the code igniter framework.

EDIT: After enabling "Allow data sources across domains" under IE's security settings, I no longer receive any error messages.

The exact error I receive is:

SEC7118: XMLHttpRequest for http://mysite.net/guest/is_logged_in required Cross Origin Resource Sharing (CORS).

$.ajax({ url: 'http://mysite.net/guest/is_logged_in', type: 'POST', crossDomain: true, xhrFields: {        withCredentials: true   },  dataType: 'json', success: function(data) {      if(data.id) {         window.location.replace("http://mysite.net");     } } }); 

and

public function is_logged_in() {     $allowed = array(         'http://mysite.net',         'http://www.mysite.net',         'http://www.mysite.com',     );      $url = $_SERVER['HTTP_REFERER'];     $url = substr($url, 0, strpos($url, '/', 8));     if(isset($_SERVER['HTTP_ORIGIN']))     {         if(in_array($_SERVER['HTTP_ORIGIN'], $allowed))         {             $this->output->set_header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);         }     }     else     {         if(in_array($url, $allowed))         {             $this->output->set_header('Access-Control-Allow-Origin: ' . $url);         }     }       $this->output->set_header('Access-Control-Allow-Headers: X-Requested-With');     $this->output->set_header('Access-Control-Allow-Credentials: true');     $this->output->set_header("Access-Control-Expose-Headers: Access-Control-Allow-Origin");       //TODO: Try to detect if this is an ajax request, and disallow it if not.      $data = new stdClass();     $this->load->library("ion_auth");     if($this->ion_auth->logged_in())     {         $data->name = $this->ion_auth->user()->row()->first_name;         $data->id = $this->ion_auth->get_user_id();     } else {         $data->id = false;     }      $this->output->set_output(json_encode($data));  } 

Thanks in advance

like image 900
Drew Avatar asked Nov 25 '13 16:11

Drew


People also ask

How do I request CORS?

To enable CORS on your server application, you need two things: First, you need to determine the origins of whitelist. Second, you have to add the CORS middleware to the server.

Does browser block CORS?

CORS is a security mechanism built into (all) modern web-browsers (yes! into your web browser! That's why your curl calls works fine). It basically blocks all the http requests from your front end to any API that is not in the same “Origin” (domain, protocol, and port—which is the case most of the time).


1 Answers

Changing the setting for "Access data sources across domains" to Enabled turns off cross-domain checks in IE and is horrifically unsafe. Instead, you need to ensure that the target 3rd-party resource sends a valid P3P policy that indicates that it's not doing horrible things to the user's privacy.

like image 139
EricLaw Avatar answered Oct 03 '22 00:10

EricLaw