Geek Answers Handbook

Internet Explorer Cross Domain: Doesn't Send Preflight

I found several similar threads. However, no one has yet worked.

Problem

In our current ecosystem, we have three servers for our http-apis. Two for dough and one for production.

We recently released web-based client applications using AngularJS. Since client applications are designed for our clients, communication with our api is cross-domain. Web applications work correctly in Chrome, Safari, and Firefox. However, for the third api, Internet Explorer (11) refuses to send a preview request (options), which disconnects the client to communicate with the api. In the other two apis, the web application works fine in IE.

Apis will be as follows:

https://api.doma.in/accesstoken -- Works in IE11 https://api2.doma.in/accesstoken -- Works in IE11 https://api3.doma.in/accesstoken -- Does not send preflight in IE11.

What you need to notice is that the three servers are more or less cloned, so the setup will not be much different.

However, the error I get in the error messages I receive is the following:

 SEC7118: XMLHttpRequest https://api3.doma.in/accesstoken required CORS (Cross Origin Resource Sharing). SEC7119: XMLHttpRequest https://api3.doma.in/accesstoken required CORS Preflight. SCRIPT7002: XMLHttpRequest Network error 0x80070005, Access Denied.

In the online log, this only shows that the pre-check request has been canceled, therefore, there are no request or response headers.

0
javascript angularjs internet-explorer ssl internet-explorer-11
source share
2 answers

I was able to identify the problem using openssl. By running $ openssl s_client -connect <url/domain>:443 -state , I found an error with ssl.

Api 1 and 2 showed the following as a result from openssl:

 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A

On api 3 (unsuccessful api server), the result showed two additional operations:

 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server certificate request A //This SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A //This SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A

However, I did not solve this problem on the server. At the same time, I am using xdomain "hack" ( https://github.com/jpillora/xdomain ). It is very simple to set up and works great.

0
source share

To add more details about the root cause and keep anyone else learning this for many hours / days.

In my case, IE 11 followed the correct specification and did not send a client certificate when executing a CORS Preflight request. You can read more about this here.

This part of the specification is ignored in Chrome and other browsers, and they send a client certificate.

In my case, we used Pivotal Cloud Foundry and had to make configuration changes to ensure that the connection was not simply rejected. enter image description here

To easily check if this is your problem, download and install fiddler, configure it to support HTTP and test your broken CORS again, Mine worked with Fiddler, but did not connect directly to the remote server.

0
source share

More articles:


All Articles