IE 10 & 11 CORS Status 0

Question

I have an IE bug I can't seem to figure out. I am supporting IE 10 and 11 only so I thought I could get away with the following code.

I have an AJAX request:

$.ajax({
    type: {method},
    url: {url},
    cache: false,
    crossDomain: true,
    data: {data to send},
    success: function (data, textStatus, xhr) {
       ///success code
    },
   error: function (xhr, textStatus, errorThrown) {
       //error code
   }
});

This code works great in Firefox and Chrome. It doesn't work in IE 10,11. I was under the impression that CORS was fixed in IE 10,11 no?

Why do I get the follow error in IE 10,11?

{"readyState":0,"status":0,"statusText":"Error: Access is denied.\r\n"}

unrelated, but `crossDomain: true` isn't needed if you're making a crossDomain request. (weird right?) If you would like to know why, see the documentation for the crossDomain option. — Kevin B, Apr 22 '14 at 20:41
Are you sure you are actually running in IE10 or 11 standards mode? Often times when testing in a development environment IE will default to compatibility mode which puts you back to IE8 or IE7. — Kevin B, Apr 22 '14 at 20:43
I'm getting the same error and CORS setup is done on server but request never appears in Network tab of IE. Always xhr.status=0. Any ideas? — Nilesh Thakkar, Apr 23 '14 at 06:49
Thanks everyone. No luck though. So for me the server is set up correctly and everything works in chrome and firefox. Also if I change the User agent string to 'Google Chrome' it works in IE. If I set it to IE 10 or 11 I get the error I mentioned previously. Also I am sure I am not using compatibility mode. I double checked just now. — David Ward, Apr 23 '14 at 12:14
You'll need to show a transcript of the HTTP traffic between client an server in order to receive any further help on this. The issue is either in your client code or your server code. — Ray Nicholus, Apr 23 '14 at 14:44
Ok I tracked down some more information. This code is being run in a Visualforce page. I outlined the issue in more [depth](https://developer.salesforce.com/forums/ForumsMain?id=906F0000000AABGIA4) It seems inside the Visualforce page my APEX request is failing at `xhr.open( s.type, s.url, s.async );` When I run the code above in JSFiddle on IE everything works fine. So the Visualforce page must be doing something in IE. I just can't figure out what. — David Ward, Apr 23 '14 at 16:23

David Ward · Answer 1 · 2014-04-23T17:48:45.753

3

So I needed to enable 'Access data sources across domains'.

Steps:

Select Internet Options
Select the Security Tab
Select Custom level...
Scroll down to Miscellaneous
Find Access data sources across domains
Change the value to Enable

edited Apr 23 '14 at 17:48

answered Apr 23 '14 at 17:03

David Ward

493
3
15

2

You're going to have to require all of your customers to do this as well, which doesn't sound reasonable. – Ray Nicholus Apr 23 '14 at 17:22
I know but what is the alternative? – David Ward Apr 23 '14 at 17:47
You'll need to show a transcript of the HTTP traffic between client and server for starters. – Ray Nicholus Apr 23 '14 at 17:48
That's just it. There is no traffic if the above setting is not enabled. It fails before anything is sent. As I mentioned before the jquery `xhr.open( s.type, s.url, s.async );` throws an error right away with access denied. – David Ward Apr 23 '14 at 17:49
There must be something in the javascript console that provides more specifics about the issue you are having. – Ray Nicholus Apr 23 '14 at 17:50
Not really I walk through to the xhr.open in jquery there and it throws the error. There is no where else to step into. – David Ward Apr 23 '14 at 17:53
In IE9 or older, you must use `XDomainRequest` for cross-origin ajax requests, not `XMLHttpRequest`. – Ray Nicholus Apr 23 '14 at 17:54
That is correct. I am fortunate in that I can force users to have IE 10 or newer. Hence my use of XMLHttpRequest. – David Ward Apr 23 '14 at 17:57
@KevinB Ooops, yes, you're right. Not sure why I thought he was using IE9 or older. In that case, I suspect the request is being sent after all. You'll need to look closer at the HTTP traffic in IE10's network tab. – Ray Nicholus Apr 23 '14 at 17:58
I just went and checked again and I am certain. There is nothing in the Network tab if I don't change the 'Access data sources across domains' setting to enabled. It fails with Access is denied before attempting any request. – David Ward Apr 23 '14 at 18:06
I think it is unlikely that this setting is the root of your problem. I'm able to make cross-origin XHR requests without issue in IE10 with this setting disabled. – Ray Nicholus Apr 23 '14 at 18:14
What is the URL of your page, and the URL of the endpoint your XHR request is targeting? Perhaps you are trying to make a request from the internet zone to the local intranet zone. – Ray Nicholus Apr 23 '14 at 18:19
@djay That answer deals with issues related to the response. We seem to be dealing with the browser rejecting the request outright instead. – Ray Nicholus Apr 23 '14 at 18:21
@Ray is correct. The browser is rejecting the request outright. The page itself is a Visualforce page inside of Salesforce. That page is making an api request to my google app engine project. With that in mind I think it makes sense that the 'access data sources across domains' setting needs to be changed. no? – David Ward Apr 23 '14 at 18:35
What is the security zone of the page hosting the app, vs the security zone of the endpoint targeted by the XHR request? – Ray Nicholus Apr 23 '14 at 18:36
Well if I add my url to the trusted sites list and change the security level to medium-low or low then everything works. When this is done the 'access data sources across domains' is set to prompt or enabled respectively. That being said I didn't have it set up in either Trusted sites or Restricted sites previously. – David Ward Apr 23 '14 at 19:01
I found a reference for this [here](http://www.webdavsystem.com/ajax/programming/cross_origin_requests) "Internet Explorer ignores Access-Control-Allow headers and by default prohibits cross-origin access for Internet Zone" – David Ward Apr 23 '14 at 19:05
1

The whole security zones business in IE is one of many reasons why it has been and continues to be such a terrible browser. It's all very confusing and unnecessary. Plus, IE has been violating the Same Origin Policy RFC in other ways as well (it doesn't take ports into consideration) and has butchered CORS support previously (look at XDomainRequest for evidence). It looks like your problem is an attempt to make an XHR request from a less-secure zone to a more secure zone. – Ray Nicholus Apr 23 '14 at 19:16

IE 10 & 11 CORS Status 0

1 Answers1

Linked