CORS XMLHttpRequest fails in IE10-11 web worker

Question

I'm trying to make a cross-origin XMLHttpRequest from within a web worker. The setup is as follows:

The original request is made to the same domain example.com
The server redirects (302) the request to s3.amazon.com
S3 is properly set up for CORS, responding with the proper Access-Control-Allow-Origin header

The code is as follows:

var xhr = new XMLHttpRequest();
//this will redirect to 'https://s3.amazon.com/...'
xhr.open('GET', 'https://example.com/document/1234/download');
xhr.send(null);

Chrome, Firefox, Safari, and MS Edge on Win 10

This code properly follows the redirect, both when called from the main JS file and from a web worker.

IE 10/11 on Win 7

This code properly follows the redirect only when called from the main JS file. When called from a web worker, the request is aborted without an error or log message.

It's possible to make this work by editing the browser security settings and enabling "Access data sources across domains," but it is not viable to expect users to do so.

Questions

Is there some special setup required to make IE 10/11 follow the redirect?
Is there a way to get better output from IE 10/11 other than an opaque aborted request?

After reading through a comment section [here](http://stackoverflow.com/questions/23229723/ie-10-11-cors-status-0) I found this: "It looks like your problem is an attempt to make an XHR request from a less-secure zone to a more secure zone." perhaps your code is fine, would the final code be hosted with https? and do you have the ability to test your code using https without pushing it into production? — Patrick Barr, Apr 03 '17 at 21:25
This is all tested over https. I'll look through those comments more in-depth, but at a glance they don't seem to address my issues. Thanks for the link. — bostonou, Apr 03 '17 at 21:46
Can't you just read the redirect header from the response head yourself and act accordingly or IE 10/11? E.g. using a feature detection on your server, then if the browser does not follow the redirect, use your custom ajax call code. I could write an example but only in a few days since I'm not active on my laptop during the weekend. — posixpascal, Apr 07 '17 at 07:52
@praszyk there are multiple workaround solutions, though obviously I'd prefer not to have to use them. i'm trying to understand why this specific case fails and if it is a bug in IE. — bostonou, Apr 13 '17 at 06:41

score 1 · Accepted Answer · answered Apr 13 '17 at 15:21

There are several possible work-arounds to this problem, two of which I explored:

Option 1

function callXHR() {
  var xhr = new XMLHttpRequest();
  //this will redirect to 'https://s3.amazon.com/...'
  xhr.open('GET', 'https://example.com/document/1234/download');
  xhr.send(null);
}

if(isIE) {
   //callXHR in main js file
} else {
   //callXHR in web worker
}

Option 2

//from a web worker
if(isIE) {
   //give the exact url so the xhr doesn't get a 302
   callXHR('https://s3.amazon.com/...');
} else {
   //this will follow the redirect to https://aws...
   callXHR('https://example.com/document/1234/download');
}

I decided on Option 2 because I didn't want to give up the web worker.

The answers provided here were focused on CORS or redirects, but none actually addressed the specific problem I was having.

You send on two different urls. Your problem with 302 redirect in IE [this](http://stackoverflow.com/questions/6948128/ie-doesnt-follow-redirect-gives-internet-explorer-cannot-display-the-webpage) — , Apr 13 '17 at 15:56

score 0 · Answer 2 · answered Apr 12 '17 at 04:22

Try setting up few more metatags in header request, like xhr.setRequestHeader('Access-Control-Allow-Origin', example.com ); // from which request is made

// Create the XHR object.
function createCORSRequest(method, url) {
  var xhr = new XMLHttpRequest();
  if ("withCredentials" in xhr) {
    // XHR for Chrome/Firefox/Opera/Safari.
    xhr.open(method, url, true);
  } else if (typeof XDomainRequest != "undefined") {
    // XDomainRequest for IE.
    xhr = new XDomainRequest();
    xhr.open(method, url);
  } else {
    // CORS not supported.
    xhr = null;
  }
  return xhr;
}

// Helper method to parse the title tag from the response.
function getTitle(text) {
  return text.match('<title>(.*)?</title>')[1];
}

// Make the actual CORS request.
function makeCorsRequest() {
  // This is a sample server that supports CORS.
  var url = 'https://example.com/document/1234/download';

  var xhr = createCORSRequest('GET', url);
  if (!xhr) {
    alert('CORS not supported');
    return;
  }

  // Response handlers.
  xhr.onload = function() {
    var text = xhr.responseText;
    var title = getTitle(text);
    alert('Response from CORS request to ' + url + ': ' + title);
  };

  xhr.onerror = function() {
    alert('Woops, there was an error making the request.');
  };

  xhr.send();
}

For more details check this link - https://www.html5rocks.com/en/tutorials/cors/

Yes, but in IE if you disbled "Access data sources across domains" it will not be work — , Apr 12 '17 at 12:08
I already have CORS working. The problem is specific to *redirects from a web worker*. — bostonou, Apr 13 '17 at 06:39
Hope you might have trired already ...try debugging the web worker from developer console [keep a debugger ]. Since no error log is present. I request you to do ! and check the request header section. Try finding why it is getting failed. — Vinod kumar G, Apr 17 '17 at 11:37