Home Dashboard Directory Help
Search

IE 10 on Win8 does not assign the correct HttpStatus to XmlHttpRequest when the result is 401 by Fungears


Status: 

Resolved
 as Won't Fix Help for as Won't Fix


Type: Bug
ID: 802602
Opened: 9/27/2013 7:27:57 AM
Access Restriction: Public
Primary Feedback Item: 773478
0
Workaround(s)
view
1
User(s) can reproduce this bug

Description

IE10 on Windows 8 does not handle Unauthorized request (401) correctly in a CORS cross-origin POST scenario.
Response status of XmlHttpRequest is equal to 0 when it should be equal to 401.


In our scenario we are using CORS to send a POST request to a cross origin-host.
IE10 send 2 requests : 1 preflight (OPTION) + 1 POST

OPTION returns 200 with all the requires access-control headers.
OPTION requests do not need authorization.

POST request returns 401 (POST requests require Authorization header).
Our server also populate the response with a authenticate header : WWW-Authenticate: Bearer realm="ourrealm"

On the POST request, IE10 do not populate the status code with 401. Status code is 0.
Our JS client can't handle the fact that the authorization is required and then resend a POST request with the authorization header.

Following are the HTTP requests traces :

OPTIONS http://apitest/api/values HTTP/1.1
Accept: */*
Origin: http://localhost
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type, accept, authorization
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Host: apitest
Content-Length: 0
DNT: 1
Connection: Keep-Alive
Pragma: no-cache

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.0
Access-Control-Allow-Origin: http://localhost
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept,content-type,authorization
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 27 Sep 2013 14:05:56 GMT
Content-Length: 0

POST http://apitest/api/values HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json; charset=utf-8
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJodHRwczovL2Z1bmdlYXJzLmlvLyIsImlzcyI6Imh0dHBzOi8vZnVuZ2VhcnMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldC8iLCJuYmYiOjEzODAyMzc1OTYsImV4cCI6MTM4MDMyMzk5NiwibmFtZWlkIjoiZnVuZ2VhcnMvcHVibGljIiwiaWRlbnRpdHlwcm92aWRlciI6Imh0dHBzOi8vZnVuZ2VhcnMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldC8ifQ.3zJq-FdcSZP7eFqQcyzQ17D_XYWv7u66k04E8g2vLB0
Referer: http://localhost/gearsapiconnectors/tests/interactive.html
Accept-Language: fr-FR
Origin: http://localhost
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Connection: Keep-Alive
Content-Length: 58
DNT: 1
Host: apitest
Pragma: no-cache

{"gamerId":0,"gamerApiKey":"","actionKey":"action-create"}


HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
Access-Control-Allow-Origin: http://localhost
Access-Control-Allow-Credentials: true
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 27 Sep 2013 14:05:56 GMT
Content-Length: 34

{"Message":"Unauthorized message"}



At this point the status code in the XmlHttpRequest object is equal to 0. It should be equal to 401.
This is working fine in Chrome and Firefox.

It looks like many other people are experiencing the same bug but you keep closing the bug report whereas it is a major issue :

- http://stackoverflow.com/questions/16081267/xmlhttprequest-status-0-instead-of-401-in-ie-10
- https://connect.microsoft.com/IE/feedback/details/773478/ie-10-on-win8-does-not-assign-the-correct-httpstatus-to-xmlhttprequest-when-the-result-is-401
- https://connect.microsoft.com/IE/feedback/details/785990/ie-10-on-win8-does-not-assign-the-correct-status-to-xmlhttprequest-when-the-result-is-401
Details
Sign in to post a comment.
Posted by Microsoft on 10/3/2013 at 11:25 AM
Fungears,

This turns out to be the same issue as Connect Feedback 773478.

Please follow the progress of this bug here.
http://connect.microsoft.com/IE/feedback/details/773478/ie-10-on-win8-does-not-assign-the-correct-httpstatus-to-xmlhttprequest-when-the-result-is-401.

Thank you.

Best regards,

The Internet Explorer Team
Sign in to post a workaround.