0

I'm trying to make a HTTP GET request in javascript to a rest API from within an iframe. The iframe is sandboxed, but it has the allow-scripts attribute set, and the API I'm calling is enabled to allow all origins, so CORS shouldn't be a problem.

I've recreated the scenario with a minimal code sample here:
http://plnkr.co/edit/jrchvxFXQQDqs2Fv

If you go to that page and preview the page with any modern browser (Chrome, Edge, etc.) it works correctly.

But if you do that with Internet Explorer 11, the call fails. On the javascript console, we get this generic network error:

enter image description here

but the weird thing is: the call is actually running correctly. In fact, if we check the network tab, we can see it being performed and returming 200: enter image description here

Am I doing something wrong here, or is this just the usual IE being IE?

Master_T
  • 7,232
  • 11
  • 72
  • 144

1 Answers1

0

I found that we need to add allow-same-origin to make it work in IE.

By default sandbox forces the “different origin” policy for the iframe. In other words, it makes the browser to treat the iframe as coming from another origin, even if its src points to the same site. allow-same-origin removes this feature. So I think it fails in IE at first because it doesn't meet the same-origin policy.

As for the difference between IE and other browsers, I think that's due to the different policy design in different browsers.

I also find a thread about the issue and there's some useful information, you could also refer to it for more information.

Yu Zhou
  • 11,532
  • 1
  • 8
  • 22
  • The other browsers enforce same origin policy correctly imho: they allow the call, but send it with origin "null", leaving the decision to accept it or reject it to the server. IE makes the call anyway (making the restriction pointless from a security perspective), but then decides to enforce the policy by.... crashing the script? As usual, IE never ceases to amaze me with how badly designed it is. – Master_T Jun 05 '20 at 07:44