Unable to make complex cross domain requests in IE 10 over SSL using XMLHttpRequest - by gtw1

Status : 

  Fixed<br /><br />
		This item has been fixed in the current or upcoming version of this product.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.

ID 789990 Comments
Status Closed Workarounds
Type Bug Repros 0
Opened 6/12/2013 7:15:08 AM
Access Restriction Public


I have an ASP.NET MVC web application (delivered over HTTP) which when rendered on the client uses the XMLHttpRequest object to request data from a web service within a different domain (on a different server over HTTPS).  As of now this is all within a local area network and both servers are considered part of the Local Intranet security zone on the client machine.  CORS has been implemented within the web service and all of the appropriate CORS headers are returned from the server when handling the actual request or the CORS preflight (OPTIONS) request.

What I am observing within IE 10 is that simple requests (ones not requiring preflighting) execute without issue.  However complex requests (one requiring preflighting) fail. The IE network tracing states aborted on the preflight request to the web service and within the IE console the error message 'XMLHttpRequest: Network Error 0x80070005, Access is denied' is written.

What's interesting is that if I change the client script to access the web services via HTTP instead of HTTPS (MVC is still delivered over HTTP), then there is no issue performing complex CORS requests.  Everything works as expected.  This led me to believe that perhaps IE was not allowing a mismatch in protocols between the origin and cross-domain request.  However, if I deliver the MVC app over HTTPS and then call the web services via HTTPS, I still get the same error.  It seems that the issue is centered around making any sort of complex CORS requests over HTTPS.

As a note, the failing scenario documented above works fine in Chrome and FireFox.

While I have cited that this is not reproducible in IE9, this is only because the scenario is not supported at all by IE9 and therefore is not testable.
Sign in to post a comment.
Posted by Microsoft on 6/26/2013 at 11:43 AM
Thank you for your feedback.

We are glad you were able to isolate the configuration issue.

Please feel free to file more Feedback with us in the future.

Best regards,

The Internet Explorer Team
Posted by gtw1 on 6/17/2013 at 7:17 AM
I have determined what the issue was on my own. Apparently the Client Certificates SSL option within IIS on my web service virtual directory was set to Accept instead of Ignore. While I am not exactly certain why having it configured in this fashion causes this behavior in IE, changing it to Ignore resolved the issue. It is also not clear to me why having Fiddler enabled would change the behavior. At rate, this appears to not be a bug, but instead a configuration issue.
Posted by gtw1 on 6/15/2013 at 11:01 AM
Interestingly enough, the issue no longer occurs when monitoring the web traffic using Fiddler. However, as soon as I terminate Fiddler, the issue immediately comes back. I can certainly provide the request and response headers if it will be of use, but it seems like they must be fine if IE works when Fiddler is running.
Posted by Microsoft on 6/14/2013 at 11:18 AM
Thank you for your feedback.

In order to investigate this issue further, can you upload an example of your script as well as the header responses that are being sent and received. You can use something like Fiddler to get these.

Best regards,

The Internet Explorer Team