Browser fails to recognize Access-Control-Allow-Origin if it is an IDN domain

Issue #8075637 • Assigned to Nicolas A.

Details

Author
marcus o.
Created
Jul 4, 2016
Privacy
This issue is public.
Found in
  • Microsoft Edge
  • Internet Explorer
Reports
Reported by 3 people

Sign in to watch or report this issue.

Steps to reproduce

This error seems to exist in both latest IE and latest Edge. The error occurs when you are on an IDN domain (My domain contains an ‘å’) and makes an XMLHTTP cross-origin request. On the server responding to the request you can set the Access-Control-Allow-Origin response header to the exact request origin, yet still it says the origin does not match, the only value you can set for it to work is wildcard (*).

I’ve attached an image with the console error.
I’m using english as my browser language, perhaps this only happens if you use a browser language which does not have that character.

Attachments

2 attachments

Comments and activity

  • If you open network tab and click into the request, you can also see that the Origin request header has broken encoding, see attachment. In other browsers where it works the Origin header is set to the punycode URL

  • Steps to reproduce:

    1. Setup a server which is configured to allow and respond to CORS requests using the ‘Access-Control-Allow-Origin’ header, set it’s value to the requesting origin (which should mean it will allow all requests)
    2. Go to a website with punycode domain (e.g http://xndetrsbonsdomaines-vsb.com)
    3. Open up the console in developer tools and make a POST request to your server (if jQuery is present as in the above domain, simply do it using jQuery.post()
    4. You will now see that you get the error as shown in the IEBUGG2.png attachment above
    5. Try the same procedure in chrome/firefox (havent tested anyone else) and you’ll see everything works fine there
  • So you are just going to completely ignore this issue? We can’t secure our server from foreign domain requests using the ‘Access-Control-Allow-Origin’ header because of this bug and it only happens in IE and Edge

  • So you are just going to complete ignore this issue? We cant secure our server from foreign domain requests using the ‘Access-Control-Allow-Origin’ header because it would break our site with punycode domain in IE / Edge (and no other browser).

  • Microsoft Edge Team

    Changed Assigned To to “Brad E.”

  • Sorry about the delay in getting back to you with this bug report.

    Which version of Edge are you testing this out on?

    Also, the domain you provided does not seem to be active any longer. Can you provide another sample domain that we can use for the repro? The rest of my repro environment is ready to go.

    All the best,
    The MS Edge Team

  • We
    have not received a response with more details - this item of feedback will be
    closed soon unless we are able to obtain more information.

  • It doesnt matter if the domain is active, as long as the site responds (which the site i provided does), since you just need to get the browser to make a request with a punycode domain origin.

    1. open developer tools -> console
    2. go to http://xndetrsbonsdomaines-vsb.com
    3. in console enter jQuery.post()

    You will now see an error in the console about the access-control-allow-origin not matching the server, even if you have configured your server so it does. In network tab you can also see the the origin has broken encoding

  • in 3. in my previous comment you should put your server URL inside post(): jQuery.post(example.com)

  • I have the same problem, I have done extensive testing and can confirm the problem only exists with IDN domains.

    In my case i use google re captcha, and it function with all browsers except for IE 11 where browser fails to recognize Access-Control-Allow-Origin

    https://dev.körkort.se/test-captcha.php
    https://dev.xnkrkort-wxa.se/test-captcha.php

  • I see the same bug on cyrillic domains, namely here https://екатеринбург.рф/noname/vidzhet-uralbilet

    IE10 and IE11 do not recoginze the domain name returned in Access-Control-Allow-Origin header.

  • Correction.
    The URL demonstrating the bug is:
    https://екатеринбург.рф/noname/vidzhet-uralbilet#cors

  • I am still not able to repro this in IE11 on Win 10 running build 14911.  I went to this site and threw a jQuery.post() at it … Worked exactly as expected in both Edge and IE 11.  No errors.

  • Actually, upon reviewing the URL you gave again with Edge I do see the error you are reporting. We will investigate.

    All the best,
    The MS Edge Team

  • Microsoft Edge Team

    Changed Assigned To to “Venkat K.”

  • Thank you, Brad.

  • Microsoft Edge Team

    Changed Assigned To from “Venkat K.” to “Nicolas A.”

  • Any news, Microsoft?

  • We hit the same issue in Japan, is there any update?

You need to sign in to your Microsoft account to add a comment.

Sign in