I believe I've found two issues with IE10 on Win8 with respect to it's support for CORS.
Issue#1: IE10 will not pass cookies in a CORS ajax request unless the source site and the target of the ajax CORS request are on the same domain.
Several things here to note:
- I am using 'withCredentials: true' on the cors requests.
- The xd server is properly negotiating the pre-flight 'OPTIONS' request with all the appropriate headers (as confirmed in Fiddler):
- In Chrome this works and it sends along my authentication cookies.
- Other people have the same issue: http://stackoverflow.com/questions/12643960/internet-explorer-10-is-ignoring-xmlhttprequest-xhr-withcredentials-true
- Cookies work in CORS when a.somedomain.com does a cors request to b.somedomain.com
- Cookies don't seem to be passed along when a.somedomain.com does a cors request to any.otherdomain.com
- I have experienced this with both XMLHttpRequest and Jquery $.ajax
- Viewing the IE developer console window I see the following messages:
SEC7118: XMLHttpRequest for https://mydomain.com/somepath required Cross Origin Resource Sharing (CORS).
SEC7119: XMLHttpRequest for https://mydomain.com/somepath required CORS preflight. - I have verified the proper CORS preflight in fiddler, and verified that the server is infact returning a 401, but xhr.status = 0 after the request is complete.
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type, accept
Access-Control-Allow-Methods: POST
Access-Control-Allow-Origin: https://source.somewhere.com
Issue #2 When performing a cross domain request using IE10 on Win8 if the server returns a 401 Forbidden status code, the xhr.status = 0. This is incorrect and it should equal 401.
It appears xhr.status is not getting the proper value in a CORS requests where the server returns a non-200 status code.