Why are CORS requests failing in Microsoft Edge but working in other browsers?

Jerome picture Jerome · Feb 3, 2016 · Viewed 33.2k times · Source

I'm using jQuery to send cross origin ajax requests and they're working fine in IE11, Chrome and Firefox but they fail in Edge with the following error:

SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

What's interesting is that I used Fiddler to try to figure out what was going on and when Fiddler is running and capturing requests everything works fine. As soon as I close Fiddler or pause capture it fails again.

The site is running on my local machine (webpack-dev-server) making requests across the local network to a WebAPI service.

My hosts file is set up like this:

127.0.0.1   local.myapp.test
192.168.0.111   api.myapp.test

It shouldn't be a problem in production as the site and API will be hosted in the same place but it's invaluable for development and testing.


Update:

Thanks to Eric Law I now know why it was behaving differently with Fiddler enabled - Edge was switching to Local Intranet zone because of the proxy settings change Fiddler makes and the intranet zone has a lower security level.

Fiddler forum answer

I'm going to bump the Local intranet zone security level up to Medium-High to match the Internet zone and then use Fiddler to try to work out why Edge is upset about the CORS request.

Answer

Jerome picture Jerome · Feb 8, 2016

I'll include below, verbatim, the answers that Eric Lawrence (creator of Fiddler) kindly provided on the Fiddler forum:

One possibility is that your computer is configured with an Intranet zone and that Intranet zone is dependent on a proxy configuration script: http://blogs.msdn.com/b/ieinternals/archive/2012/06/05/the-local-intranet-security-zone.aspx. When Fiddler is running, the proxy settings are pointed at Fiddler itself.

... there's another factor at work here if you're using an Intranet site as the target of an XHR from a site in the Internet zone.

Edge runs in Enhanced Protected Mode (AppContainer). That has a feature which blocks access to Private Network Resources from Internet-Zone processes. See the "Private Network resources" section of http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx for more details.

I added local.myapp.test (the URL I'm running my SPA from) to the Local Intranet zone in Internet Options and now Edge is happy without the need for Fiddler.