I’m currently having an issue with a cross-domain ajax call using IE10 (in IE10 mode, not compatibility).
Situation:
I have two domains, http://a
and http://b
. I have a cookie set for http://b
. I am currently on page http://a
.
I want to do a CORS request to http://b
using XMLHttpRequest (which should work, according to http://blogs.msdn.com/b/ie/archive/2012/02/09/cors-for-xhr-in-ie10.aspx), and include the cookie in the request.
The JS is as follows:
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://b', true);
xhr.withCredentials = true;
xhr.send();
This should ensure that the cookie is attached to the request; however, the Fiddler trace shows that no cookie is attached, and I get 401: Access Denied
.
The server is configured to work with CORS, it includes the Access-Control headers:
Access-Control-Allow-Origin: http://a
Access-Control-Allow-Credentials: true
(this should not make any difference, since there is no OPTIONS preflight request, and the first request IE sends is a GET, and the cookie is not present, thus causing a 401).
Furthermore, the JS snippet works fine in both Firefox and Opera.