Mac browsers seem to swallow initial CORS XHR preflight request

Question

I have a very simple CORS-enabled Node.js web server running on another machine in my office. I set it running on port 8080.

If I send it, as an initial request, something that triggers a preflight (such as a request with content-type application/json), it will fail, but only under very specific conditions:

1. The server is running on port 80 or 8080. Any other port works fine.
2. I'm sending the request from a Mac (OS X 10.8.5). No matter if I run the server on the local machine or a separate Windows machine, same effect. If I run the server on my Mac and make the request from my Windows machine, it works fine.

Here's the code I'm using to send the request:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://myserver.domain.com'); // NOT the real URL of course...
xhr.setRequestHeader('Content-Type', 'application/json'); // Triggers the preflight OPTIONS request.
xhr.send();

Very simple. No bells nor whistles, but for some reason, if I run that request on a Mac, the browser seems to swallow the OPTIONS request before it's ever sent. I receive no indication it was ever received by the server, and the browser console displays a (relatively useless) error. All three major browsers (Chrome, Safari, and Firefox) display the same behavior.

Other colleagues with similar Macs have tried this as well with the same results, so it doesn't appear to be specific to my machine in particular.

I thought it may be an issue with my server, because I tried the same against a well-known CORS-enabled API server (namely api.github.com) and that worked just fine. However, I've run it against 2 completely different server applications locally with the same results.

CORS response headers seem fine - as I said it works perfectly if I send the request from a Windows browser. Also, if I initially send a non-preflighted request, subsequent preflighted requests also work fine.

I thought it may be an issue with running the server or client on "localhost" or "127.0.0.1", but I've also run both using their hostnames with the same results.

There's no SSL involved, everything is cleartext over HTTP.

Has anyone ever seen this sort of behavior before, specific to Mac browsers?

Answer 1

Found the answer to my own question.

Cisco AnyConnect client for Mac appears to cause problems with CORS requests.

Tipped off by this: Computer Blocking CORS OPTIONS Request I uninstalled it and now everything works perfectly.

The commenters on my question were onto it, but I hadn't suspected VPN software would cause this sort of issue when it was, y'know, not running.

UPDATE

Apparently reinstalling it without the Web Security module will solve the problem.

http://www.bennadel.com/blog/2559-Cisco-AnyConnect-VPN-Client-May-Block-CORS-AJAX-OPTIONS-Requests.htm