Which browsers allow cross domain ajax calls with Access-Control-Allow-Origin: *
? I am setting a REST service and trying to decide if I need to support JSONP to allow cross domain javascript access or if it is good enough to set the Access-Control-Allow-Origin header.
By default you are not allowed to make AJAX requests to another domain. Your browser applies the Same-origin policy as part of the web security model. To allow the browser to make a cross domain request from foo.app.moxio.com to sso.moxio.com we must set up a CORS policy on the target domain.
To enable cross-origin access go to Tools->Internet Options->Security tab, click on “Custom Level” button. Find the Miscellaneous -> Access data sources across domains setting and select “Enable” option.
CORS is a mechanism that defines a procedure in which the browser and the web server interact to determine whether to allow a web page to access a resource from different origin. Figure 2. Cross domain ajax request. When you do a cross-origin request, the browser sends Origin header with the current domain value.
Browser does not allow cross domain AJAX requests due to security issues. Cross-domain requests are allowed only if the server specifies same origin security policy. To enable CORS, You need to specify below HTTP headers in the server.
Here's one reference suggesting that support in modern browsers is reasonable (but see the note at the end of this answer), assuming client-side code handles the IE issue on purpose. (IE8 and IE9 support CORS, but not via XMLHttpRequest
—you have to use XDomainRequest
instead, and it's worth noting that neither jQuery nor Prototype does that for you in their ajax wrappers — I don't know about other libraries. IE10 finally gets it right.) That page says, in essence, that CORS is supported in the desktop versions of:
XDomainRequest
), IE10+ (properly)...as well as
You have to ask yourself what your target market is and whether they're likely to still be using older versions of IE, because it matters quite a lot who you're targeting. But overall, you still (for the moment) probably want to look at a JSONP interface — even in the U.S. mostly-home market, IE6+IE7 = about 20% of the users. I don't know many sites that can just ignore a fifth of the market. :-) And if you look at corporate users, or users in Asia or Africa or Central America, that number goes up markedly. The foregoing was true in 2010. Here in 2013, China is really the only holdout using IE6 (>24% there). Worldwide, IE6 and IE7 users have moved on to IE8 and IE9, and even big corporate and government users have finally "got it" about the security risks. IE8 will be with us for a while (as that's has high as IE goes on Windows XP), but you can bet the nearly 20% using IE9 will be on IE10 soon.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With