1

Below is an XDomainRequest being made from javascript to a PHP Backend on Nginx on a different subdomain. The return result always executes the error function, and XDomainRequest doesn't give debugging details. Is there something wrong with the code?

Javascript

var xdr = new XDomainRequest();       

        xdr.open(method.toLowerCase(), url);
        timeout = 10000;
        // Required to XDomainRequest works
        xdr.timeout = timeout;
        xdr.onprogress = function() {};

        xdr.ontimeout = function() {
          completeRequest(callback, 408, 'Timeout', 'Content-Type: text/plain');
          xdr.abort();
        };

        xdr.onload = function() {
          completeRequest(callback, 200, xdr.responseText, 'Content-Type: ' + xdr.contentType);          
        };

        xdr.onerror = function() {
          completeRequest(callback, 500, 'Error', 'Content-Type: text/plain');
          xdr.abort();
        };


        $browserDefer(function () {
          xdr.send();
        }, 0); //fix IE bug that raises '$apply already in progress' on cached requests

        if (timeout > 0) {
          $browserDefer(function() {
            status = -1;
            xdr.abort();
          }, timeout);
        }

PHP with PreFlight Options Check

if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
            if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']) && ($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'] == 'POST' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'] == 'DELETE' ||  $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'] == 'PUT' )) {
                     header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
                     header("Access-Control-Allow-Credentials: true"); 
                     //header('Access-Control-Allow-Headers:  *,X-Requested-With,Content-Type');
                     header('Access-Control-Allow-Headers: Content-Type');
                     header('Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT'); // http://stackoverflow.com/a/7605119/578667
                     header('Access-Control-Max-Age: 86400'); 
                     echo PVResponse::createResponse(200, 'Successful Connection');
             }
          exit();
        }

        header('Access-Control-Allow-Origin: '. $_SERVER['HTTP_ORIGIN'] );
        header('Access-Control-Allow-Credentials: true' );
        header('Access-Control-Request-Method: *');
        header('Access-Control-Allow-Methods: POST, GET, PUT, DELETE, OPTIONS');
        header('Access-Control-Allow-Headers: *,x-requested-with,Content-Type');
        header('X-Frame-Options: DENY');

//Execute rest of PHP code after headers have been set

I've gotten cross subdomain calls to work in every other browser. Is there something special for IE8 and IE9, like a special Allow-Headers or something else I am missing?

Devin Dixon
  • 11,553
  • 24
  • 86
  • 167
  • For cross-domain, I think you need the following: Access-Control-Allow-Origin:* – user2793390 Oct 03 '13 at 14:16
  • How did you manage to make cross domain calls work in other browsers? `XDomainRequest` is an IE-specific function. – Marcel Korpel Oct 03 '13 at 14:17
  • The other browsers use XMLHttpRequest. What I am showing above is only a snippet that executes if the browser is IE8 or 9. IE10 can use XMLHttpRequest. – Devin Dixon Oct 03 '13 at 14:20
  • For security reasons, Access-Control-Allow-Origin:* should not be used. Also, Access-Control-Allow-Origin: * is not allowed with credentials. – Devin Dixon Oct 03 '13 at 14:21
  • Uhm, IE >= 7 can also use `XMLHttpRequest`s, which don't work in a cross-domain manner. So, how did you make the other browsers to work with cross-domain `XMLHttpRequest`s? BTW, don't forget to @Call me, otherwise I won't be notified. – Marcel Korpel Oct 03 '13 at 14:39
  • @MarcelKorpel Full snippet of code, modified AngularJS Library.https://gist.github.com/ProdigyView/6810998 . Basically there is an if statement if (useXDomain && XDR) which only IE8/9 use, everything else uses XMLHttpRequest. But how it works in the other browsers is not the issue. – Devin Dixon Oct 03 '13 at 14:45

0 Answers0