cross-origin header in IE8/IE9

2019-03-14 16:31发布

问题:

Since jQuery ajax ist not working for CORS/IE, I'm using XDomainRequest to retreive data from another Server. Work's fine, but I would like to send some header ('Authentification', 'content-type').

Is there a chance to add/change header in XDomainRequest?

Or does someone know a workaround?

回答1:

This is what we did for IE.

If you have control over the target domain, host a (static) html file there. Include the html using the iframe.

Now this iframe does actually have access to the local domain, so you can communicate between the parent and child frame to get what you need.

This worked much better than XDomainRequest for us.

window.postMessage is the best way to setup the communication:

But I'm pretty sure that only started working since IE8. If you require older browsers as well, you must use a different hack.

In our case, this was our 3-layer system:

  1. CORS, for browsers that support it
  2. An iframe & window.postMessage as a primary fallback
  3. A server-side proxy script as the secondary fallback

All of these options work well, are reliable and didn't feel too much like a hack. The secondary fallback was barely ever used.

Keep in mind that the 'Authentication' header specifically is special, and I would not be shocked that that's blocked under certain circumstances anyway. We added a custom header 'X-Authenticate' as it did pass through all the time.



回答2:

IE's XDomainRequest does not allow custom headers to be set. See item #3 here: http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx The XDomainRequest object is locked down to the point where it is difficult to make authenticated requests.