Menu
Since jQuery ajax ist not working for CORS/IE, I'm using XDomainRequest to retreive data from another Server. Work's fine, but I would like to send some header ('Authentification', 'content-type').
Is there a chance to add/change header in XDomainRequest?
Or does someone know a workaround?
817
To enable cross-origin access go to Tools->Internet Options->Security tab, click on “Custom Level” button. Find the Miscellaneous -> Access data sources across domains setting and select “Enable” option.
If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.
Internet Explorer 9 and earlier ignores Access-Control-Allow headers and by default prohibits cross-origin requests for Internet Zone. To enable cross-origin access go to Tools->Internet Options->Security tab, click on “Custom Level” button. Find the Miscellaneous -> Access data sources across domains setting and select “Enable” option.
If your server is located in Intranet Zane by default IE will pop the confirmation dialog during first cross-domain request: “ This page is accessing information that is not under its control. This poses a security risk. Do you want to continue? ”.
To enable cross-origin requests in FireFox, Safari, Chrome and IE 10 and later your server must attach the following headers to all responses: These headers will enable cross-domain requests in FireFox 3.6+, Safari 4+, Chrome 4+, Edge, and IE 10+. Older versions of this browsers do not allow cross-domain requests. Important!
To display the login dialog for cross-origin requests, the browser must first send GET request. This request cannot be sent via XmlHttpRequest but only via directly accessing server, for example via iframe.
This is what we did for IE.
If you have control over the target domain, host a (static) html file there. Include the html using the iframe.
Now this iframe does actually have access to the local domain, so you can communicate between the parent and child frame to get what you need.
This worked much better than XDomainRequest for us.
window.postMessage is the best way to setup the communication:
But I'm pretty sure that only started working since IE8. If you require older browsers as well, you must use a different hack.
In our case, this was our 3-layer system:
All of these options work well, are reliable and didn't feel too much like a hack. The secondary fallback was barely ever used.
Keep in mind that the 'Authentication' header specifically is special, and I would not be shocked that that's blocked under certain circumstances anyway. We added a custom header 'X-Authenticate' as it did pass through all the time.
151
IE's XDomainRequest does not allow custom headers to be set. See item #3 here: http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx The XDomainRequest object is locked down to the point where it is difficult to make authenticated requests.
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
