Internet Explorer’s definition of the “same origin” differs to the other browsers. See the IE Exceptions section of the MDN documentation on the same-origin policy: Internet Explorer has two major exceptions when it comes to same origin policy: Trust Zones: if both domains are in highly trusted zone e.g, corporate domains, then the same origin … Read more
In the error callback or $.ajax you have three input arguments: function (XMLHttpRequest, textStatus, errorThrown) { this; // options for this ajax request } You can check directly the xhr.status to get the HTTP response code, for example: $.ajax({ url: “test.html”, cache: false, success: function(html){ $(“#results”).append(html); }, error: function (xhr, textStatus) { if (xhr.status == … Read more
The documentation on this seems to imply that it allows multiple origins with a space separated list, but that’s not what it actually means. Here’s what I could gather as the most definitive answer to your question: the Access-Control-Allow-Origin header should be the same value as the Origin header as long as you want to … Read more
Your problem isn’t with jquery, it’s in how CORS works. Your beforeSend callback was probably working as expected… but browsers won’t send custom headers in preflight requests, no matter what. This is by design; the purpose of the preflight request is to determine what information the useragent (browser) is permitted to send beyond the “simple” … Read more
EDIT: Synchronous requests are now deprecated; you should always handle HTTP requests in an async way. There is a 3rd parameter to XmlHttpRequest‘s open(), which aims to indicate that you want the request to by asynchronous (and so handle the response through an onreadystatechange handler). So if you want it to be synchronous (i.e. wait … Read more
Unfortunately the XMLHttpRequest object was designed this way, because it is based on WinInet. Also, it is not recommend to be used from the server side. You should use ServerXMLHttpRequest, which has the same functionality, but depends on WinHTTP instead. See the FAQ for more information. A description from the ServerXMLHttp documentation states that: The … Read more
This is just a guess, as I use jquery for ajax requests, including CORS. I think the browser is supposed to set the header, not you. If you were able to set the header, that would defeat the purpose of the security feature. Try the request without setting those headers and see if the browser … Read more
If you want to set the authorization header req.setRequestHeader(‘Authorization’,’Basic ‘ + Base64StringOfUserColonPassword);
I think you’ve missed the point of access control. A quick recap on why CORS exists: Since JS code from a website can execute XHR, that site could potentially send requests to other sites, masquerading as you and exploiting the trust those sites have in you(e.g. if you have logged in, a malicious site could … Read more