7

We are developing a mobile site using html5, jQuery(1.8.2) and jQuery mobile while making jQuery ajax calls (get and post).
After we changed our domain name, we are getting "access denied" for ajax calls on ie9.
We tried to include jquery.iecors.js. But still we are getting the same error.Is there any resolution for this?

Sample Code:

$.support.cors = true;

$.ajax({
    cache: false,
    async: true,
    crossDomain: true,
    timeout: 600000,

    url: baseUrl + '/SmartTouch/restServices/PrefferedHotels',
    type: 'GET',

    beforeSend: function (xhr) {
        xhr.setRequestHeader("Authorization", "Basic " + myencoded);
    },
    contentType: "application/x-www.form-urlencoded; (http://www.form-urlencoded;) (http://www.form-urlencoded;) charset=UTF-8",
    success: function (data) {

        alert("success");
    },
    error: function (jqXHR, textStatus, errorThrown) {


        alert("error!!::" + JSON.stringify(jqXHR));

        alert('response: ' + jqXHR.responseText);
        alert('code: ' + jqXHR.getResponseHeader('X-Subscriber-Status'));
        alert("textStatus " + textStatus);
        alert("errorThrown " + errorThrown);

    }
});

Edited:

beforeSend: function (xhr) {
    xhr.setRequestHeader("Authorization", "Basic " + myencoded);
    xhr.setRequestHeader("Access-Control-Allow-Origin", "*");
    xhr.setRequestHeader("Access-Control-Allow-Methods", "POST,GET,OPTIONS");
},
contentType: "application/x-www.form-urlencoded; (http://www.form-urlencoded;) (http://www.form-urlencoded;) charset=UTF-8",
success: function (data) {
    alert("success");
},
error: function (jqXHR, textStatus, errorThrown) {
    alert("error!!::" + JSON.stringify(jqXHR));

Request and Response headers in IE9:

 Request:
    Key Value
    Request GET url HTTP/1.1
    Accept  text/html, application/xhtml+xml, */*
    Accept-Language en-US
    User-Agent  Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
    Accept-Encoding gzip, deflate
    Proxy-Connection    Keep-Alive
    Host     ("url")
    Pragma  no-cache
    Cookie  GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utmc=24444716; __utma=24444716.47018335.1379597653.1380274476.1380276859.17; __utmz=24444716.1379597653.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=24444716.6.10.1380276859 





    Response:
    Key Value
    Response    HTTP/1.1 200 OK
    Server  Apache-Coyote/1.1
    X-Powered-By    Servlet 2.5; JBoss-5.0/JBossWeb-2.1
    Accept-Ranges   bytes
    ETag    W/"64578-1380266616000"
    Last-Modified   Fri, 27 Sep 2013 07:23:36 GMT
    Content-Type    text/html
    Date    Fri, 27 Sep 2013 10:17:01 GMT
    Content-Length  64578
    Age 0
    Via 1.1 localhost.localdomain
Rookie
  • 8,660
  • 17
  • 58
  • 91
user1533947
  • 197
  • 1
  • 1
  • 7

6 Answers6

2

This kind of Content-Type looks strange:

application/x-www.form-urlencoded; (http://www.form-urlencoded;) (http://www.form-urlencoded;) charset=UTF-8"

I can imagine the IE has as problem with it.

Try the proper one:

application/x-www-form-urlencoded; charset=UTF-8
                 ^-- notice: no dot!

It's also possible for the IE to have problems with the authorization. Maybe myencoded is out of the scope or not filled correctly. Debug this variable and have a look at this question: Authorization through setRequestHeader

Community
  • 1
  • 1
Daniel W.
  • 31,164
  • 13
  • 93
  • 151
  • 1
    I can't think of a scenario where `myencoded` would be scoped correctly on other browsers not IE9. But then again, it's IE. +1 for confirming my doubts of `Content-Type` :) – Oleg Sep 29 '13 at 20:55
1

If you want the Ajax url to be hit from any domain, the server must send a response header Access-Control-Allow-Origin : * or Access-Control-Allow-Origin : your-domain if restricted only to your domain.Can you see these headers in response?

Gurminder Singh
  • 1,755
  • 16
  • 19
  • Since they can get proper response in other browser; this might not be the issue IMHO. – Maz Sep 23 '13 at 07:05
  • Ok.In ie9, what response do you get? Or you are not even able to get the _Request_ being hit? – Gurminder Singh Sep 23 '13 at 07:08
  • Request is not being hit. – user1533947 Sep 23 '13 at 07:14
  • looking at link provided by @Maz,I think that is the issue. – Gurminder Singh Sep 23 '13 at 07:20
  • I have added this js file.But still getting this error.Do i need to make any changes in ajax request? – user1533947 Sep 23 '13 at 07:37
  • Did you tried this: https://github.com/jaubourg/ajaxHooks/blob/master/src/xdr.js ? – Gurminder Singh Sep 23 '13 at 07:43
  • And try including https://github.com/MoonScript/jQuery-ajaxTransport-XDomainRequest/blob/master/jQuery.XDomainRequest.js if above doesn't work – Gurminder Singh Sep 23 '13 at 07:46
  • Here is another [link](http://stackoverflow.com/questions/12865053/jquery-cross-domain-request-still-failing-in-ie-but-using-jsonp) – Gurminder Singh Sep 23 '13 at 07:50
  • Did you use all 3 links I have posted? – Gurminder Singh Sep 23 '13 at 10:41
  • yes.We have tried all.Is there any change required in ajax call? – user1533947 Sep 23 '13 at 11:08
  • Can you post Request as well as Response headers? – Gurminder Singh Sep 23 '13 at 11:21
  • I guess there's something wrong with the **headers**. Try to understand _[this](http://www.html5rocks.com/en/tutorials/cors/)_ first.Also try to add relevant **dataType** to your ajax method.May be this can help. – Gurminder Singh Sep 23 '13 at 11:41
  • @ Gurminder Please find the edited code above.We have implemented headers as suggested.but still no luck – user1533947 Sep 23 '13 at 13:38
  • I think you are making a **preflight** request and for that, your headers are wrong. [THIS](https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control#Preflighted_requests) will give you a better idea – Gurminder Singh Sep 23 '13 at 13:55
  • @ Mark No ie8 doesnot work with this.Since weare jquery and jquery mobile ie8 is not supported. – user1533947 Sep 23 '13 at 13:55
  • @ Jamil Yes we are requesting from the same domain. – user1533947 Sep 23 '13 at 13:56
  • @ Gurminder We can see request and response headers. What needs to be check there? – user1533947 Sep 24 '13 at 06:43
  • can you tell me what you are going to achieve in this request and what _contentType_ your web service returns and accepts? – Gurminder Singh Sep 24 '13 at 06:49
  • WE are making a call to RESTful webservice which is returning a json object. The content type we are using is: contentType:"application/x-www.form-urlencoded; (http://www.form-urlencoded;) charset=UTF-8", WE are also setting a request header : beforeSend: function (xhr) { xhr.setRequestHeader ("Authorization", "Basic "+myencoded);}, Is this causing a problem in xdr as we have read that xdr doesnot allow custom headers? – user1533947 Sep 24 '13 at 06:55
  • try changing your _contentType_ to **application/json** and remove these headers **xhr.setRequestHeader("Access-Control-Allow-Origin", "*"); xhr.setRequestHeader("Access-Control-Allow-Methods", "POST,GET,OPTIONS");** – Gurminder Singh Sep 24 '13 at 07:02
  • We have included following js files:jquery-1.7.2.min.js,CryptoJS.js and /jquery.iecors.js.Ajax is:$.ajax({ url:baseUrl+'SmartTouch/restServices/CityCodes', type:'GET', async:true, cache:false, crossDomain:true,beforeSend:function(xhr){xhr.setRequestHeader ("Authorization","Basic"+myencoded)}, contentType:"application/json", success:function(data){ alert("success") ;}, error:function(jqXHR, textStatus,errorThrown) { alert("error!!::" + JSON.stringify(jqXHR));}}); });We are still getting acess denied.Is Basic authorization header causing a pbm? – user1533947 Sep 24 '13 at 07:39
  • if we remove it then it wont work in any of the browser.Is this classified as a custom header since xdomainrequest does not support custom headers.If yes,then please suggest some alternative. – user1533947 Sep 24 '13 at 07:48
  • Yes we tried to remove it.WE got 404 NOT FOUND error in all other browsers. – user1533947 Sep 24 '13 at 08:02
  • Well sorry mate, after all this I won't be able to resolve it until I see the code in action. You have to keep trying other options! – Gurminder Singh Sep 24 '13 at 08:08
1

You seem confident that the issue has nothing to do with the suggested jQuery bug (especially since you're using jquery.iecors.js) so I'll move right on.

  • What is the significance of the "edited" bit? Access-Control-Allow-Origin:* should be set on the response (i.e. server-side, as part of Apache/IIS/F5 configuration), not on the request. Edit: there is more information available on MDN; you could also use something like burp's tampering proxy to play with the headers if you don't have immediate access to config changes (pretty common in an enterprise environment)

  • Even if not an issue, @DanFromGermany is absolutely right - content-type does look strange. You shouldn't even have to set it manually, jQuery.ajax() has it correct by default.

  • You also seem concerned with setting the basic authentication header. Remember that myencoded value is just encoded (not encrypted), so you might as well skip the header and pass credentials in the URL: http(s)://username:password@www.example.com/

Moar edit:

Looking through those MDN docos above, this seems relevant:

By default, in cross-site XMLHttpRequest invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest object when it is invoked.

Perhaps try adding xhr.withCredentials = true; to your beforeSend?

Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding. The above example would fail if the header was wildcarded as: Access-Control-Allow-Origin: *. Since the Access-Control-Allow-Origin explicitly mentions http://foo.example, the credential-cognizant content is returned to the invoking web content.

This would invalidate previous advice of using an asterisk in the header (i.e. explicit domain is required)

Oleg
  • 24,465
  • 8
  • 61
  • 91
  • @ o.v. Where exactly do we need to set the header on server side? How do we set it on response,?in our case response is json. – user1533947 Sep 27 '13 at 07:19
1

See this Microsoft article on CORS implementation on IE8 and IE9: http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx

Specifically they say two things:

  • No custom headers may be added to the request

and

  • No authentication or cookies will be sent with the request

And you mentioned in your comment:

Our problem is we are doing basic authorization and including following header: xhr.setRequestHeader("Authorization", "Basic " + myencoded); in our ajax call.But in ie9 we are getting access denied.Is there any way to include this header?

Unfortunately, the answer I'll have to give you is no, there is no way to include this header in IE8 or IE9. Microsoft designed it that way.

To get it to work with CORS on IE9 you'll have to convince the site you're connecting to to allow you to send authorization information some other way - maybe query params or post data.

If the site is not cooperative there's always the request proxy work-around where you request to a page on your server and you server forwards the request with the correct header etc.

slebetman
  • 109,858
  • 19
  • 140
  • 171
0

If you were using windows based hosting?

Please check old configs for the IIS, if available,

there are security provisions which will allow content by its type,

add this response header <% Response.AddHeader("Access-Control-Allow-Origin","*") %> in your page also.

or refer the source link to MSDN for more details

I think you have updated this in edits but there are many things as its AJAX involved, and your IE9 may also one of the reason if you have changed security options and not default.

I think that should do, if not please reply

MarmiK
  • 5,639
  • 6
  • 40
  • 49
0

You can try this 

<meta http-equiv="X-UA-Compatible" content="IE=Edge" >

It forces the browser the render at whatever the most recent version's standards are. For reference http://msdn.microsoft.com/en-us/library/ie/ms533876%28v=vs.85%29.aspx

Shafeeque
  • 2,039
  • 2
  • 13
  • 28