Make a CORS request in IE9 with cookies?

Asked 7/6, 2012 at 23:32 Answered 25/6, 2012 at 18:30

Solved cookies internet-explorer-9 xdomainrequest

In IE9, I am attempting to make a cross origin request with cookies. However, even when I have the Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Methods all set to the appropriate values (the origin domain, true, and GET, POST), IE9 still isn't sending or setting cookies from the request. Here's the script I'm using:

var xdr = new XDomainRequest()
xdr.open("http://mydomain.com/cors.php")
xdr.withCredentials = true;
xdr.send();

Any idea on how to get cookies to work with CORS requests in IE9?

Scabby answered 7/6, 2012 at 23:32 Comment(1)

jeff did you found the solution? perhaps you can send cookie info as query param as work around? – Doghouse 21/6, 2012 at 22:33

From this page http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx at the bottom you can see Update: Internet Explorer 10 now supports CORS using XMLHTTPRequest. It means CORS is not handled properly in IE9. Sorry. They propose some workarounds with proxy in the same article.

Browser compatibility matrix is given at http://caniuse.com/cors where by partial support they mean

Internet Explorer 8 provides support via the XDomainRequest object but doesn't support credentialed requests http://code.google.com/p/sgvizler/wiki/Compatibility.

Liberia answered 8/6, 2012 at 13:23 Comment(3)

Maybe the XHR object works better in IE10 - but it doesn't send all of the cookies. – Gott 31/7, 2013 at 7:41

I can confirm it only works properly in IE10+. IE9 and IE8 have to use XDR and it sucks because the content-type has to be text/plain and can't use cookies. BTW, no proxy (or cURL) is going to work for cookies because cross-domain cookies are also forbidden for security reasons. – Cubby 10/9, 2013 at 18:35

Updating to note that I believe that IE10 and IE11 on anything before Windows10 still also require their special P3P policy header to be set on the server in order for the server to read the server domain cookies from the client browser in this way. – Repetition 26/2, 2016 at 19:37

From my experience, if both domains are in your control better to use postMessage

Doghouse answered 25/6, 2012 at 18:30 Comment(1)

Somewhat of a problem... #16227424 – Gott 31/7, 2013 at 9:48

Recommended topics

Hot tags