I can't figure out why this CORS request is failing to return data.

I'm using Catalyst MVC on the backend, Firefox 24.0 as a browser. jQuery 1.9.1. Please note the following:

1. otherdomain.com requires a client certificate.
2. hitting the resource directly returns expected data. (https://otherdomain.com/resource/1) returns proper data.

I have a simple page that tests the request:

<script type='text/javascript'>
                function get_data() {
                        console.log("running");
                        $.ajax({
                                url: "https://otherdomain.com/resource/1",
                                dataType: 'json',
                                type: 'GET',
                                xhrFields: {
                                        'withCredentials': true
                                },
                                crossDomain: true
                        }).success(function(data) {
                                console.log(data)
                                $('#output').html(data);
                        }).error(function(xhr, status, error) {
                                alert("error");
                                console.log(xhr);
                        });
                }

    $(document).ready(function() {
            get_data();
    });
    </script>

</script>

Here are my request headers:

GET /resource/1 HTTP/1.1
Host: otherdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://mydomain.com/test.html
Origin: https://mydomain.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Here are my response headers. (copy of view source from firebug console) I see on my catalyst debug output that the request is served as 200 OK and the content is sent.

HTTP/1.1 200 OK
Date: Mon, 28 Oct 2013 19:31:08 GMT
Server: HTTP::Server::PSGI
Vary: Content-Type
Content-Length: 653
Content-Type: application/json
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1800
X-Catalyst: 5.90030
Via: 1.1 otherdomain.com

And the error is thrown from the ajax call:

readyState: 0
responseText: ""
status: 0
statusText: "error"

firebug shows the response body as empty from the request event though it's a 200 OK.

I thought that when using 'withCredentials' a pre-flight request was required but I don't see an OPTIONS being sent via firebug.

Also, i can see no Access-Control-Request-Header being added by my request, so I'm not returning any Access-Control-Allow-Headers from the server.

Now, the frontend of Catalyst is Apache2, and I'm using proxypass in a virtual host to send the request to catalyst on localhost:8080. I'm not sure if that has any bearing but thought it might be important. It should be transparent to the browser though.

Thanks for any help!

1. GET requests are not preflighted. See Here
2. When responding to a credentialed request, server must specify a domain, and cannot use wild carding. (must not be Access-Control-Allow-Origin: *). See Here

I have a similar issue, where everything works fine in Chrome, but I get 405 for all cross-domain requests in Firefox (and similar problems with IE). I tried adding xhrFields, and the crossDomain flag. I am also using beforeSend to actually do an xhr.withCredentials = true. I made sure that I have hostname match on the service backend. I use the Access-Control-Allow-Credentials header.

The one thing that might be different... I only send these headers when the Origin header is present, because if I don't get Origin, my only response for Access-Control-Allow-Origin could be * because I would not know what the origin is.