CORS withCredentials - support limited?

Question

I've noticed that certain browsers do not seem to support withCredentials in CORS requests, at least under some conditions. Specifically, in IE 10, attempting to set xhr.withCredentials = true results in:

SCRIPT5022: InvalidStateError

and in Safari 5 (but not 6) I get

INVALID_STATE_ERR: DOM Exception 11: An attempt was made to use an object that is not, or is no longer, usable.

again, in response to the same statement.

Are these known problems, or am I setting up my XHR wrong somehow? Is there a list of which browsers support withCredentials?

Answer 1

The August 16, 2011 XHR draft specifies a rule for setting withCredentials:

When set: throws an INVALID_STATE_ERR exception if the state is not OPENED or if the send() flag is true.

However, the January 17, 2012 draft is more permissive:

When set: throws an InvalidStateError exception if the state is not UNSENT or OPENED, or if the send() flag is set.

You are probably setting withCredentials before calling .open, which is disallowed by the 2011 spec but allowed by the 2012 spec. To comply with both, simply move your property assignment after your call to .open.