cross-origin header in IE8/IE9

Johannes Staehlin picture Johannes Staehlin · Mar 11, 2012 · Viewed 10.5k times · Source

Since jQuery ajax ist not working for CORS/IE, I'm using XDomainRequest to retreive data from another Server. Work's fine, but I would like to send some header ('Authentification', 'content-type').

Is there a chance to add/change header in XDomainRequest?

Or does someone know a workaround?

Answer

Evert picture Evert · Mar 13, 2012

This is what we did for IE.

If you have control over the target domain, host a (static) html file there. Include the html using the iframe.

Now this iframe does actually have access to the local domain, so you can communicate between the parent and child frame to get what you need.

This worked much better than XDomainRequest for us.

window.postMessage is the best way to setup the communication:

But I'm pretty sure that only started working since IE8. If you require older browsers as well, you must use a different hack.

In our case, this was our 3-layer system:

  1. CORS, for browsers that support it
  2. An iframe & window.postMessage as a primary fallback
  3. A server-side proxy script as the secondary fallback

All of these options work well, are reliable and didn't feel too much like a hack. The secondary fallback was barely ever used.

Keep in mind that the 'Authentication' header specifically is special, and I would not be shocked that that's blocked under certain circumstances anyway. We added a custom header 'X-Authenticate' as it did pass through all the time.