html5please
html5please copied to clipboard
h5bp
Update posts/cors.md
It should be mentioned that IE8 and IE9 do not let you use CORS if your page is loaded from an HTTPS source.
It's a massive pain in the ass (and definitely caused me several frustrating debugging hours).
Load a page from an https URL in IE8 or IE9.
Attempt to make an XDR request from that page to another host correctly configured for CORS.
It will fail because you cannot make an XDR request in IE 8 or 9 from a page served over HTTPS.
You get no error or warning it just failed silently.
This should be noted on this section because its a pain in the ass to figure out what's going on.
On Oct 20, 2012, at 17:52, Paul Irish [email protected] wrote:
whaaat
@mhausenblas https://github.com/mhausenblas
— Reply to this email directly or view it on GitHubhttps://github.com/h5bp/html5please/pull/216#issuecomment-9637211.
To be brutally honest with you guys: I don't have a friggin clue why this is the case but maybe @monsur does?
Why what is the case?
Why you can't use the XDomainRequest object in IE to retrieve documents from a foreign host over HTTPS when your page has been served from an HTTP server?
To quote from the IEInternals Blog at MSDN
However, this restriction is overly broad, because it prevents HTTP pages from issuing XDomainRequests targeted to HTTPS pages. While it’s true that the HTTP page itself may have been compromised, there’s no reason that it should be forbidden from receiving public resources securely.
In Chrome, Firefox, IE10, Opera, Safari, etc this is possible.
In IE8 and IE9 it is not.
The CORS section of the site should explain the fact that these requests will fail and will fail silently.
Additionally, the XDomainRequest object in IE8/9 is unable to set any additional headers or mime-types. Being that a common use-case for using a CORS-type request is via some sort of API, if that API requires OAuth to present Authentication credentials (via the Authorization: OAuth [token] header), this additionally will be impossible. The API service would need to be able to obtain the authentication credentials from an alternate source than the Header.
@toddself ping. We've run into this recently on the application I work on. Would love to hear of any workaounds you've found, and if none to revise this PR and get it merged.
@robwierzbowski The work around is quite a pain. You'll need to load an iFrame from your HTTPS site that you want to communicate with then use postMessage to handle the communication across the domains, and then have the iframe do the communication.
I feel the wording in the suggested change is rather clear -- CORS over HTTPS does not work in IE8 and IE9, even using an XDomain object. Not sure what else needs to be cleared up in order for this to be merged.
Since it's opened 2 years ago, somebody who wants to update this PR a little?
@toddself Would you like to update stuff?
The issue is that you cannot make a cross domain request via https regardless of what protocol the original page is served in IE 8.
On Dec 18, 2014, at 11:14, Monsur Hossain [email protected] wrote:
So reviewing this thread, I don't think the issue is that IE8/9 can't make CORS requests to https, its that XDomainRequest can't cross schemes. So an http client can't make a request to an https server, and vice versa. I can update the client page with the full list of XDomainRequest limitations. (Sorry for not addressing this early, I actually missed it the first time around).
— Reply to this email directly or view it on GitHub.
Is there a repo case of this? I thought https->https CORS worked with XDomainRequest.
