21

I’m currently having an issue with a cross-domain ajax call using IE10 (in IE10 mode, not compatibility).

Situation: I have two domains, http://a and http://b. I have a cookie set for http://b. I am currently on page http://a.

I want to do a CORS request to http://b using XMLHttpRequest (which should work, according to http://blogs.msdn.com/b/ie/archive/2012/02/09/cors-for-xhr-in-ie10.aspx), and include the cookie in the request. The JS is as follows:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://b', true);
xhr.withCredentials = true;
xhr.send();

This should ensure that the cookie is attached to the request; however, the Fiddler trace shows that no cookie is attached, and I get 401: Access Denied.

The server is configured to work with CORS, it includes the Access-Control headers:

Access-Control-Allow-Origin: http://a
Access-Control-Allow-Credentials: true

(this should not make any difference, since there is no OPTIONS preflight request, and the first request IE sends is a GET, and the cookie is not present, thus causing a 401).

Furthermore, the JS snippet works fine in both Firefox and Opera.

Rendijs S
  • 365
  • 1
  • 3
  • 12
  • Note: I am seeing the same behavior when using jQuery, with `xhrFields: { withCredentials: true }` – Rendijs S Sep 28 '12 at 16:35
  • 2
    I don't have IE10, but I do have a CORS test site. Can you try out the following request in IE10 and see if it works? Just click the "Send Request" button and see what the response is. I just tried and it works in Chrome. If it doesn't work in IE, it could be a bug: http://client.cors-api.appspot.com/client?server.enable=true&server.credentials=true&server.httpstatus=200&client.method=GET&client.credentials=true – monsur Sep 28 '12 at 17:31
  • 3
    @monsur - I've done some more testing. IE10 works in the page you provided, it appears that IE10 supports `xhr.withCredentials` on pages that have a matching second-level domain name (e.g. `http://a.b.com` talking to `http://c.b.com`), but not when the second-level domain names do not match (e.g. http://a.com talking to http://b.com) – Rendijs S Oct 01 '12 at 10:46
  • This may be a bug. What is the domain on your cookie? Note that a cookie set by b.com will only be accessible by b.com. It won't be visible to JS code on a.com. – monsur Oct 01 '12 at 14:26
  • Yes, the cookie is set on domain `http://b.com`. Firefox and Opera both include the cookie when `withCredentials` is set to true, I've yet to try it out with Chrome and Safari. – Rendijs S Oct 02 '12 at 09:09

3 Answers3

25

It's probably the same old IE P3P issue. With IE's default settings, if a cookie is set without a P3P header also present in the response, the cookie is marked as "first-party only". Which means that in a third-party context, such as an iframe or a CORS request, IE will refuse to send the cookie.

To fix it, you need to supply a P3P header when setting the cookies. See http://msdn.microsoft.com/en-us/library/ms537343%28v=vs.85%29.aspx for details.

Update: Link is now dead, but you can see it at the Internet Archive

Anomie
  • 92,546
  • 13
  • 126
  • 145
  • 4
    Would be nice if the answer could be updated to what exactly this header should be to save time going over the docs :) – Poul K. Sørensen Jan 27 '15 at 10:32
  • The correct header depends on the privacy policies of your website. Or you could just do like Google does (their header is currently "p3p: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."") – Anomie Jan 27 '15 at 15:02
  • 1
    Since the Microsoft article in the link is deleted, can you please update answer with exactly how to "supply a P3P header when setting the cookie" please? @Anomie – Shailen Sukul Sep 17 '15 at 23:45
  • 1
    Adding a P3P response header with the value 'CP="something"' solved the problem for me too with IE11 on Win7 – Wolfram Hofmeister Jun 03 '16 at 14:06
  • This Microsoft article covers the subject and is often quoted in similar situations: https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/ – saeraphin Dec 11 '17 at 07:05
  • relevant: https://blogs.msdn.microsoft.com/ie/2012/02/20/google-bypassing-user-privacy-settings/ – Knu Apr 23 '18 at 19:20
-2

I had a similar problem, and it turned out that the browser settings were blocking third-party cookies (IE10 > Internet Options > Privacy > Advanced > Third Party Cookies > Accept). To solve the problem, I checked "Override automatic cookie handling", "Accept" (Third-party Cookies) and "Always allow session cookies."

Andrew M. Andrews III
  • 1,989
  • 18
  • 23
-2

We added a header Vary : cookie and it worked..

Pierre Guilbert
  • 5,057
  • 3
  • 19
  • 19