Browser Bugs and Quirks
The browser world has improved considerably in recent years in adhering consistently to W3C standards, but it's still not entirely there yet. To get your CORS application to function across all major browsers you'll have to make a few small tweaks and compromises.
Limitations imposed by Internet Explorer 8 + 9
Microsoft IE engineers were reportedly concerned about security and chose deliberately to restrict the capabilities of their CORS implementation. These restrictions are listed in great detail in Eric Law's MSDN blog article XDomainRequest - Restrictions, Limitations and Workarounds.
This effectively makes MS IE the lowest common denominator of all browser CORS implementations. So if you want to build a cross-domain application that works across all popular browsers, you'll have to fit into the following mold:
- Use only GET and POST methods. This effectively cripples direct use of RESTful services. JSON-RPC 2.0 however is not affected.
- Do not use any custom request headers. Neither are cookies and HTTP credentials allowed. This effectively means that all authenticating and session tokens have to be passed within the XHR body. So we have another point that disfavours RESTful APIs while making a case for JSON-RPC 2.0.
- CORS responses must have their
Content-Typeheader set to
text/plain. You may still have JSON or XML within the actual response body.
Update February 2012: Good news for developers! Internet
Explorer 10 is expected to bring full CORS support through the
XMLHttpRequest object as other browsers do. Read the
Google Chrome Bugs
In recent months I received a number of messages from CORS Filter users complaining about problems with Chrome which were eventually traced to a buggy browser implementation. Fortunately there is an easy work-around.
Chrome mistakenly includes Origin and Accept in the Access-Control-Request-Headers (still open as of April 2013)
This is reported as bug 108394. It will affect you only if your application causes the browser to make preflight CORS requests.
Work-around: Include Origin and Accept in the CORS Filter setting that lists the accepted request headers - see cors.supportedHeaders.
Please, use the discussion thread below if you encounter any other browser bugs or wish to suggest something.comments powered by Disqus