XMLHttpRequest withCredentials for IE11 handled in different ways between Windows 7 and Windows 10

By design Issue #15479375

Details

Author
James S.
Created
Jan 16, 2018
Privacy
This issue is public.
Found in
  • Internet Explorer
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

I have a server which for testing purposes I am running on the following URL: http://james:8081

This server has basic auth and just returns some data. With the response header Access-Control-Allow-Origin set to the value: “http://james:8080

I have an second server which is running on: http://james:8080

When you navigate to the second server it will make a GET request to the first server using the following code:

var xhr = new XMLHttpRequest();
xhr.open('GET’, 'http://james:8081’, true);
xhr.withCredentials = true;
xhr.send();

The flow is navigate to the first url (http://james:8081), log in with basic auth. Then open another browser tab and navigate to the second url (http://james:8080). The browser should then make the above GET request to the first server, and due to the user having already logged in to that server, the GET request should be satisfied.

This works as expected on Windows 7 using IE11. But it does not work on Windows 10 using IE11, you receive the following in the console:

SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

With the following request status: 401/Unauthorized.

This was tested on the VMs provided by Microsoft on Modern.ie.

I can’t seem to find an answer for why this is happening, or how I can solve this issue?

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

    • Hi James,

      We mainly handle Edge related issues on this site.  Have you tried the same tests with Edge?

      Which virtual machine are you using?  E.g. VirtualBox, Hyper-V.  What IP do the “james” domains resolve to?

      Steve

    • I am using VirtualBox and the domain resolves to my local IP address.

      I have tested the same issue in Edge. Edge handles it in the same way as IE11 on Windows 10 (which fails).

      I have a work around for Edge, as I can use fetch. So instead of doing:

      var xhr = new XMLHttpRequest();
      xhr.open('GET’, 'http://james:8081’, true);
      xhr.withCredentials = true;
      xhr.send();

      I can do:

      fetch('http://james:8081’, { method: 'GET’, credentials: ‘include’ });

      And this works well, but as fetch is not supported in IE11, I do not have that luxury.

    • Hi James,

      I believe this will work with XMLHttpRequest if you modify your server configuration from:

      Access-Control-Allow-Origin set to the value:
      "
      http://james:8080

      “”

      to:

      Access-Control-Allow-Origin set to the value: “http://james:*"”

      There are unique exceptions for IE for Port and Trust Zones, however, you are using IE11 in Windows 10 (behavior not always the same as IE11 on other Windows versions) and your Trust Zone is “Local Intranet Zone” so those exception will not apply.  In summary, I believe changing your server config as mentioned above should allow what you are trying to do.

      Here is a reference post from Stack Overflow which covers most of the issue you are seeing:

      https://stackoverflow.com/questions/20784209/internet-explorer-11-does-not-add-the-origin-header-on-a-cors-request

      If you find that this is not the case and you have a premier support contract, you can visit https://premier.microsoft.com and open a support incident and work with an engineer to address this issue.

      Let me know if this corrects the issue,

      Steve

    • Thought I would mention that it appears IE11 Windows 10 is enforcing the standard Same-origin policy definition while Windows 7 IE 11 is not.

      https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
      (This link is also referenced from the previous link I provided to Stack Overflow.)

      Two pages have the same origin if the protocol, port (if one is specified), and host are the same for both pages. You’ll see this referred to as the “scheme/host/port tuple” at times (where a “tuple” is a set of three components that together comprise a whole).

    • I wanted to mention that a way to make sure your testing is using the “Internet Zone” instead of the “Intranet Zone” is to use a server name with a ‘.’ in it.  For example, define james.com in the Windows hosts file.  I am assuming the domain ‘james’ you are using is really on localhost.  Also, assuming no other modifications have been made to specify any other special zone handling or additions to trusted sites for the ‘james’ domain.

      As an FYI, here is a link to the component Urlmon of the WinInet library that is making this zone decision.
      https://msdn.microsoft.com/en-us/library/aa939357(v=WinEmbedded.5).aspx

      Steve

    • Microsoft Edge Team

      Changed Status to “By design”

    You need to sign in to your Microsoft account to add a comment.

    Sign in