Internet Explorer 11 does not add the Origin header on a CORS request?

internet-explorer xmlhttprequest cross-domain cors
Martin Andersson picture Martin Andersson · Dec 26, 2013 · Viewed 38.9k times · Source

My issue depends on a couple of assumptions I hold true.

Assumption nr 1: The Origin Header

The Origin header is required by the browser to be put on a CORS (Cross Origin Resource Sharing) request.

Wikipedia:

To initiate a cross-origin request, a browser sends the request with an Origin HTTP header.

HTML5 Rocks:

The first thing to note is that a valid CORS request always contains an Origin header. This Origin header is added by the browser, and can not be controlled by the user.

W3:

If the request URL origin is not same origin with the original URL origin, set source origin to a globally unique identifier [..].

Assumption nr 2: Internet Explorer 10+ support CORS

See caniuse.com and use google for a couple of hundreds more sources of different kinds claiming the support.

Assumption nr 3: Different ports is a different origin

Resources using different port numbers is considered to be of different origins:

Wikipedia

Two resources are considered to be of the same origin if and only if all these values are exactly the same. [..] Failure - Same protocol and host but different port.

Mozilla Developer Network

Two pages have the same origin if the protocol, port (if one is specified), and host are the same for both pages.

The problem:

Internet Explorer 11 does not send the Origin header when making a CORS request to the same domain "localhost" but using different ports (from 8411 to 8080). Opera, FireFox and Chrome do send the Origin header. Yet everybody keeps saying CORS is supported in Internet Explorer 10+?

Answer

sjy picture sjy · Mar 17, 2014

Internet Explorer's definition of the "same origin" differs to the other browsers. See the IE Exceptions section of the MDN documentation on the same-origin policy:

Internet Explorer has two major exceptions when it comes to same origin policy:

  • Trust Zones: if both domains are in highly trusted zone e.g, corporate domains, then the same origin limitations are not applied
  • Port: IE doesn't include port into Same Origin components, therefore http://company.com:81/index.html and http://company.com/index.html are considered from same origin and no restrictions are applied.

Therefore if your cross-origin request occurs across different ports, or within one of IE's trusted zones, IE will not treat the request as cross-origin and will see no need to add the Origin: header.

Related questions

selectSingleNode works but not selectNodes

Javascript: var req=xmlDoc.responseXML.selectSingleNode("//title"); alert(req.text); as expected, returns the text of the first "title" node. but this var req=xmlDoc.responseXML.selectNodes("//title"); alert(req.text); returns "undefined." The following: var req=xmlDoc.responseXML.selectNodes("//…

Read More
Setting headers in XDomainRequest or ActiveXObject('Microsoft.XMLHTTP')

I'm trying to do something like this (W3 compliant, DOM): xhr.setRequestHeader( 'X-Requested-With', 'XMLHttpRequest' ); For ActiveXObject('Microsoft.XMLHTTP') and XDomainRequest (IE8). I'm having no such luck finding it anywhere in microsoft documentation or even google. Any idea how I can …

Read More
Google Translate Not working in Any IE but works in Firefox and GoogleChrome

I have tested this page in IE, Firefox, and Google Chrome. It works in all except IE. Can someone please tell me how to fix this, I have tried just about everything I could for the last two days. TRY …

Read More