I have a CORS (cross origin resource sharing) request coming from my login page to the application site, on a different URL. I have a simple page I ping to determine if a user is already logged in, and if so, redirects them. Otherwise I show a login page. I use jQuery.
This works great in safari, chrome, firefox... and not IE (naturally). According to MS, IE 10 and later should support CORS requests with withCredentials
I'm using jquery-2.0.3.min.js
Any ideas why this isn't working in IE11?
EDIT: It appears as though it IS partially working, as it is now returning a value of {"id":false}. This happens every time, meaning that the server is never getting the credentials. I am also posting my is_logged_in page, I am using the code igniter framework.
EDIT: After enabling "Allow data sources across domains" under IE's security settings, I no longer receive any error messages.
The exact error I receive is:
SEC7118: XMLHttpRequest for http://mysite.net/guest/is_logged_in required Cross Origin Resource Sharing (CORS).
$.ajax({ url: 'http://mysite.net/guest/is_logged_in', type: 'POST', crossDomain: true, xhrFields: { withCredentials: true }, dataType: 'json', success: function(data) { if(data.id) { window.location.replace("http://mysite.net"); } } });
and
public function is_logged_in() { $allowed = array( 'http://mysite.net', 'http://www.mysite.net', 'http://www.mysite.com', ); $url = $_SERVER['HTTP_REFERER']; $url = substr($url, 0, strpos($url, '/', 8)); if(isset($_SERVER['HTTP_ORIGIN'])) { if(in_array($_SERVER['HTTP_ORIGIN'], $allowed)) { $this->output->set_header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']); } } else { if(in_array($url, $allowed)) { $this->output->set_header('Access-Control-Allow-Origin: ' . $url); } } $this->output->set_header('Access-Control-Allow-Headers: X-Requested-With'); $this->output->set_header('Access-Control-Allow-Credentials: true'); $this->output->set_header("Access-Control-Expose-Headers: Access-Control-Allow-Origin"); //TODO: Try to detect if this is an ajax request, and disallow it if not. $data = new stdClass(); $this->load->library("ion_auth"); if($this->ion_auth->logged_in()) { $data->name = $this->ion_auth->user()->row()->first_name; $data->id = $this->ion_auth->get_user_id(); } else { $data->id = false; } $this->output->set_output(json_encode($data)); }
Thanks in advance
To enable CORS on your server application, you need two things: First, you need to determine the origins of whitelist. Second, you have to add the CORS middleware to the server.
CORS is a security mechanism built into (all) modern web-browsers (yes! into your web browser! That's why your curl calls works fine). It basically blocks all the http requests from your front end to any API that is not in the same “Origin” (domain, protocol, and port—which is the case most of the time).
Changing the setting for "Access data sources across domains" to Enabled turns off cross-domain checks in IE and is horrifically unsafe. Instead, you need to ensure that the target 3rd-party resource sends a valid P3P policy that indicates that it's not doing horrible things to the user's privacy.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With