I have an ASP.NET MVC web application (delivered over HTTP) which when rendered on the client uses the XMLHttpRequest object to request data from a web service within a different domain (on a different server over HTTPS). As of now this is all within a local area network and both servers are considered part of the Local Intranet security zone on the client machine. CORS has been implemented within the web service and all of the appropriate CORS headers are returned from the server when handling the actual request or the CORS preflight (OPTIONS) request.
What I am observing within IE 10 is that simple requests (ones not requiring preflighting) execute without issue. However complex requests (one requiring preflighting) fail. The IE network tracing states aborted on the preflight request to the web service and within the IE console the error message 'XMLHttpRequest: Network Error 0x80070005, Access is denied' is written.
What's interesting is that if I change the client script to access the web services via HTTP instead of HTTPS (MVC is still delivered over HTTP), then there is no issue performing complex CORS requests. Everything works as expected. This led me to believe that perhaps IE was not allowing a mismatch in protocols between the origin and cross-domain request. However, if I deliver the MVC app over HTTPS and then call the web services via HTTPS, I still get the same error. It seems that the issue is centered around making any sort of complex CORS requests over HTTPS.
As a note, the failing scenario documented above works fine in Chrome and FireFox.
While I have cited that this is not reproducible in IE9, this is only because the scenario is not supported at all by IE9 and therefore is not testable.