1

i have a web page that do a POST to another page in other subdomain (subdomain1.domain.com -> subdomain2.domain.com) and i understand that i need configure cors to allow that situation. I did all the configs and it works in CHROME, FIREFOX AND IE11 ..

but there is an exception, only in IE11 ON MY CLIENT NETWORK the request doesnt work returning "origin not found in access-control-allow-origin header"

i find out that it occurs because in my client network the request does not return SECURITY header. The images below can explain it better:

IE11 OUTSIDE MY CLIENT NETWORK (In red the CORS return from server)

IE11 OUTSIDE CLIENT NETWORK

IE11 INSIDE MY CLIENT NETWORK (There is no security header return from server)

enter image description here

JAVA CODE SERVER CORS FILTER (There is no security header return from server)

public class CorsFilter implements Filter {

@Override
public void init(FilterConfig filterConfig) throws ServletException {
}

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) throws IOException, ServletException {

    HttpServletRequest request = (HttpServletRequest) servletRequest;
    HttpServletResponse resp = (HttpServletResponse) servletResponse;

    resp.addHeader("Access-Control-Allow-Origin", "https://intranet2.culturainglesa.net");
    resp.addHeader("Access-Control-Allow-Credentials", "true");
    resp.addHeader("Access-Control-Allow-Methods", "GET,POST");
    resp.addHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");

    // Just ACCEPT and REPLY OK if OPTIONS
    if (request.getMethod().equals("OPTIONS")) {
        resp.setStatus(HttpServletResponse.SC_OK);
        return;
    }

    chain.doFilter(request, servletResponse);
}

@Override
public void destroy() {
    // TODO Auto-generated method stub

}

}

Cateno Viglio
  • 407
  • 11
  • 25
  • Yes, it looks like the server isn't sending CORS headers in the response to IE11. The solution is to make the server send the same headers to IE as it does to Chrome. You need to show information about how the server is configured and what server-side software you're using, or else no one is going to be able to guess why the server isn't sending CORS headers. – apsillers Jun 23 '17 at 14:37
  • thanks, i have updated the question with server filter that return cors. Its is java filter hosted on jboss 7.1.1 – Cateno Viglio Jun 23 '17 at 15:10

1 Answers1

2

The problem was not in server side or CORS, but in IE11 that don't send credentials in this particular situation through AJAX:

INTERNET ZONE SITE -> INTRANET ZONE SITE

after change those two subdomains to be on TRUSTED ZONE, the problem was solved.

this is the question that help me to solve:

Access denied in IE 10 and 11 when ajax target is localhost

Cateno Viglio
  • 407
  • 11
  • 25
  • Took me a long time to find this idea but this did it for me. CORS request was working just fine in Chrome and Firefox but not IE. After comparing Request headers I realized the "Origin" flag was not being sent in IE. Not sure why, but once I added our local intranet site domain, then it worked. – jaredbaszler Feb 12 '20 at 21:30