2

I am trying to POST a search request from a jQuery/knockout web app. I followed the directions for implementing CORS in WCF and also added the following to the service:

    [OperationContract]
    [WebInvoke(Method = "OPTIONS", UriTemplate = "*")]
    public void GetOptions()
    {
    }

The search request works fine in Chrome and Firefox. Chrome sends an OPTIONS request, which is handled successfully (200) and the access-control headers are in the response, and then it sends the POST, which returns search results. So the CORS preflight is working just fine.

But IE is a different story. It also sends and OPTIONS request which is handled successfully and the access-control headers are in the response, but then it just...stops. It doesn't send a POST request afterward and has a status of (aborted) in developer tools.

The console has an error of XMLHttpRequest: Network Error 0x80070005, Access is denied. but the status of the OPTIONS request is 200 and it never (from what I can tell) even attempts the POST. So I don't even know what was denied.

I'm pulling my hair out here. It would be obvious something was wrong in all three browsers, but why only IE? These are the headers I am adding:

requiredHeaders.Add("Access-Control-Allow-Origin", "*");
requiredHeaders.Add("Access-Control-Allow-Methods", "POST,GET,PUT,DELETE,OPTIONS");
requiredHeaders.Add("Access-Control-Allow-Headers", "X-Requested-With,Content-Type,Accept");
requiredHeaders.Add("Access-Control-Max-Age", "1728000");

And this is the client side request:

$.ajax({
    url: serviceUrl + "ExemptServices.svc/json/search",
    method: "POST",
    contentType: "application/json",
    data: JSON.stringify(ko.mapping.toJS(self.Criteria)),
    success: function (response) {
        self.SearchResults(response.ResultData);
    },
    error: function (jqXHR, textStatus, errorThrown) {
        alert("Error searching." + errorThrown);
    }
});

I should also mention that both the web and WCF servers are in the local intranet zone and everything is on the same internal network, including the client.

Here's the logs from fiddler. There's only the OPTIONS request, no attempt to perform a POST was made:

OPTIONS http://ecydevws2/ustservice/ExemptServices.svc/json/search HTTP/1.1
Accept: */*
Origin: http://ecyapdevtcp
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type, accept
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: ecydevws2
Content-Length: 0
Connection: Keep-Alive
Pragma: no-cache

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,GET,PUT,DELETE,OPTIONS
Access-Control-Allow-Headers: X-Requested-With,Content-Type,Accept
Access-Control-Max-Age: 1728000
Set-Cookie: ASP.NET_SessionId=z35robabmzflsyp0l1xl0qey; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Mon, 25 Jul 2016 17:49:43 GMT
Paul Abbott
  • 7,065
  • 3
  • 27
  • 45
  • http://stackoverflow.com/questions/15442122/cors-with-ie-xmlhttprequest-and-ssl-https ? – lstern Jul 22 '16 at 17:59
  • `XDomainRequest` was necessary for CORS in IE8+ but was deprecated in IE10 and removed in IE11 (which is what I am using). – Paul Abbott Jul 22 '16 at 19:49
  • What version of jQuery you use? Which versions of IE do you check (you said IE11 in the comment, do you check only IE11 or others as well?)? Can you add a complete request/response headers for the problematic browser? You said you are in a local intranet zone, so you might need to change `security settings` in the client's computer. – Dekel Jul 25 '16 at 17:39
  • Added logs, I only care about IE11, and it's jQuery 2.x. Changing browser settings is simply not a viable solution in the environment I'm in. – Paul Abbott Jul 25 '16 at 17:54
  • If you compare the fiddler request from Chrome/Firefox to that of IE what is different - just the User-Agent header? – John Meyer Jul 25 '16 at 18:02
  • Well, crap...it works if I allow data access across domains so what I built will inherently not work in IE. I have stupid policies that require me to have web services on another server so there's no way around this. Why does it even bother sending `OPTIONS` if it knows it's cross origin? – Paul Abbott Jul 25 '16 at 18:07

0 Answers0