41

I'm trying to do a ajax call between a server (http) that is on internet. And target that to my own localhost. FF/Chrome/ ETC... works. It's ONLY an IE issue. IM USING IE 11 AND 10.

The request is don't even done. The "denied access" is thrown instantly.

This is the code. Just for you to see.

Is not the classical HTTP/HTTPS error in IE8 AND IE9. This is something else, but the documentation is not helpful.

$jq.ajax({
            contentType: 'application/json',
            url: url,
            dataType: 'json',
            crossDomain: true,
            beforeSend: function (xhr) {
                xhr.withCredentials = true; 
                xhr.setRequestHeader("Authorization", "Basic " + $jq.base64.encode(username and password));
            },
            success: function (data, status, headers) {},
            error: function (xhr, status, error) {}

The status is 0 in xhr object and error is "Denied access"

Nilesh Thakkar
  • 2,877
  • 1
  • 24
  • 43
narc88
  • 531
  • 2
  • 5
  • 10

5 Answers5

47

Internet Explorer raises this error as part of its security zones feature. Using default security settings, an "Access is Denied" error is raised when attempting to access a resource in the "Local intranet" zone from an origin in the "Internet" zone.

If you were writing your Ajax code manually, Internet Explorer would raise an error when you try to open the resource. For example:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://localhost/', true); // This line will trigger an error
xhr.send();

You can work around this error by adding the origin site to the "Trusted sites" security zone. You can test this by adding "http://client.cors-api.appspot.com" to your "Trusted sites" zone and using this test page at test-cors.org with your localhost site as the Remote URL.

oobug
  • 941
  • 1
  • 8
  • 13
  • 5
    But what if your JS is being run by someone else and you can't change their IE security settings? This solves the problem for one computer....but not for the deployed code. – theUtherSide Jun 01 '17 at 01:43
  • 1
    @theUtherSide If your code is being deployed to localhost, then you're already going to be deploying/installing something on your user's workstation. If you have access to their workstation, you can change their IE security settings. If your user is deploying/installing manually, you can include the IE security settings change in your installation instructions. – oobug Jun 01 '17 at 20:47
  • 2
    @oobug That's exactly my point --this answer only applies if you have access to change the IE security settings. That's fine if you have some internal app, but it does not apply to JS code on the wild wild web. – theUtherSide Jun 05 '17 at 20:42
  • 1
    @theUtherSide The question asked is specifically about Ajax calls targeting localhost. I would advise against developing a web application that makes Ajax calls to localhost unless you've also developed something deployed to localhost. – oobug Jun 21 '17 at 16:44
20

In addition to the trusted site requirement I found that the problem was not fixed until I used the same protocol for the request as my origin, e.g. my test site was hosted on a https but failed with any destination using http (without the s).

This only applies to IE, Chrome just politely logs a warning in the debug console and doesn't fail.

  • 1
    This fixed my issue. 4 years later, IE doesn't like http vs https but other browsers don't seem to care. – sean Oct 16 '18 at 14:21
4

If you are attempting to make cross-origin ajax requests in IE9, you'll need to use XDomainRequest instead of XMLHttpRequest. There is a jQuery plug-in that wraps XDR. You should be aware that there are some notable limitations of XDR.

Another option would be to use a library like this: https://github.com/jpillora/xdomain.

theUtherSide
  • 3,338
  • 4
  • 36
  • 35
Ray Nicholus
  • 19,538
  • 14
  • 59
  • 82
2

jQuery implements ajax calls using the XMLHttpRequest object which is not supported in IE9. You have to force it to use XDomainRequest instead.

I get around this problem using this jQuery plugin:

https://github.com/MoonScript/jQuery-ajaxTransport-XDomainRequest

Jamie Holdstock
  • 166
  • 1
  • 11
-7

Note:

Do not use "http://www.domain.xxx" or "http://localhost/" or "IP" for URL in Ajax. Only use path(directory) and page name without address.

false state:

var AJAXobj = createAjax();
AJAXobj.onreadystatechange = handlesAJAXcheck;
AJAXobj.open('POST', 'http://www.example.com/dir/getSecurityCode.php', true);
AJAXobj.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
AJAXobj.send(pack);

true state:

var AJAXobj = createAjax();
AJAXobj.onreadystatechange = handlesAJAXcheck;
AJAXobj.open('POST', 'dir/getSecurityCode.php', true);   // <<--- note
AJAXobj.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8');
AJAXobj.send(pack);



function createAjax()
{
    var ajaxHttp = null;
    try
    {
        if(typeof ActiveXObject == 'function')
            ajaxHttp = new ActiveXObject("Microsoft.XMLHTTP");
        else 
        if(window.XMLHttpRequest)
            ajaxHttp = new XMLHttpRequest();
    }
    catch(e)
    {
        alert(e.message);
        return null;
    }
    //-------------
    return ajaxHttp;
};
ali bagheri
  • 139
  • 2
  • 5