Firefox: Cross-domain requests with credentials return empty

Question

Firefox send a cross-domain post with credentials, I can (using Charles - a proxy for HTTP debugging) see that the server is sending back the response… But Firefox isn't "letting me see it" (for lack of a better description).

For example, using the documented example:

>>> var invocation = new XMLHttpRequest();
>>> invocation.open('GET', 'http://localhost/~wolever/cookie.php', true);
>>> invocation.withCredentials=true;
>>> invocation.onreadystatechange = console.log;
>>> invocation.send()
http://img.skitch.com/20100113-bq3a4qb1ufn52331x18ce3c7xu.png
>>> invocation.responseText
""
>>> invocation.responseXML
null

However, Charles tells me that this request has, in fact, returned the expected response:

http://img.skitch.com/20100113-njakyu4xequ5e3cyfhfnyeatq5.png

Any idea what could be going wrong?

And, incase it helps: the same request without credentials returns data as it should.

Answer 1

This is from the bottom of the MDC section you linked to:

Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *.

I bet you missed this, it's hidden under a couple big example code blocks.