Make a CORS request in IE9 with cookies?

Question

In IE9, I am attempting to make a cross origin request with cookies. However, even when I have the Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Methods all set to the appropriate values (the origin domain, true, and GET, POST), IE9 still isn't sending or setting cookies from the request. Here's the script I'm using:

var xdr = new XDomainRequest()
xdr.open("http://mydomain.com/cors.php")
xdr.withCredentials = true;
xdr.send();

Any idea on how to get cookies to work with CORS requests in IE9?

jeff did you found the solution? perhaps you can send cookie info as query param as work around? — Amareswar, Jun 21 '12 at 22:33

score 18 · Accepted Answer · answered Jun 08 '12 at 13:23

18

From this page http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx at the bottom you can see Update: Internet Explorer 10 now supports CORS using XMLHTTPRequest. It means CORS is not handled properly in IE9. Sorry. They propose some workarounds with proxy in the same article.

Browser compatibility matrix is given at http://caniuse.com/cors where by partial support they mean

Internet Explorer 8 provides support via the XDomainRequest object but doesn't support credentialed requests http://code.google.com/p/sgvizler/wiki/Compatibility.

answered Jun 08 '12 at 13:23

Artem Oboturov

4,344
2
30
48

Maybe the XHR object works better in IE10 - but it doesn't send all of the cookies. – JNF Jul 31 '13 at 07:41
1

I can confirm it only works properly in IE10+. IE9 and IE8 have to use XDR and it sucks because the content-type has to be text/plain and can't use cookies. BTW, no proxy (or cURL) is going to work for cookies because cross-domain cookies are also forbidden for security reasons. – Alex W Sep 10 '13 at 18:35
1

Updating to note that I believe that IE10 and IE11 on anything before Windows10 still also require their special P3P policy header to be set on the server in order for the server to read the server domain cookies from the client browser in this way. – Dtipson Feb 26 '16 at 19:37

score 0 · Answer 2 · answered Jun 25 '12 at 18:30

0

From my experience, if both domains are in your control better to use postMessage

answered Jun 25 '12 at 18:30

Amareswar

2,048
1
20
36

1

Somewhat of a problem... http://stackoverflow.com/questions/16226924/is-cross-origin-postmessage-broken-in-ie10 – JNF Jul 31 '13 at 09:48

Make a CORS request in IE9 with cookies?

2 Answers2

Linked