• Home
• JsWorld
  • Online demo
  • Quick start
  • Use cases
  • Features
  • Numeric formatting
  • Currency formatting
  • Date/time formatting
  • Parsing
  • Tips and Tricks
  • Supported locales
• JSON-RPC 2.0
  • Overview
  • Base Java classes
  • Interactive shell
  • Server
  • Client
  • Tips and tricks
• Json2Ldap
• CORS Filter
  • Overview
  • Installation
  • Configuration
  • Request tagging
  • Specification
  • Tips and tricks
  • Browser bugs and quirks
• Contact
• Download

The browser world has improved considerably in recent years in adhering consistently to W3C standards, but it's still not entirely there yet. To get your CORS application to function across all major browsers you'll have to make a few small tweaks and compromises.

Limitations imposed by Internet Explorer 8 + 9

Microsoft IE engineers were reportedly concerned about security and chose deliberately to restrict the capabilities of their CORS implementation. These restrictions are listed in great detail in Eric Law's MSDN blog article XDomainRequest - Restrictions, Limitations and Workarounds.

This effectively makes MS IE the lowest common denominator of all browser CORS implementations. So if you want to build a cross-domain application that works across all popular browsers, you'll have to fit into the following mold:

• Use only GET and POST methods. This effectively cripples direct use of RESTful services. JSON-RPC 2.0 however is not affected.
• Do not use any custom request headers. Neither are cookies and HTTP credentials allowed. This effectively means that all authenticating and session tokens have to be passed within the XHR body. So we have another point that disfavours RESTful APIs while making a case for JSON-RPC 2.0.
• CORS responses must have their Content-Type header set to text/plain. You may still have JSON or XML within the actual response body.

Update February 2012: Good news for developers! Internet Explorer 10 is expected to bring full CORS support through the XMLHttpRequest object as other browsers do. Read the MSDN article.

Google Chrome Bugs

In recent months I received a number of messages from CORS Filter users complaining about problems with Chrome which were eventually traced to a buggy browser implementation. Fortunately there is an easy work-around.

Chrome mistakenly includes Origin and Accept in the Access-Control-Request-Headers (still open as of April 2013)

This is reported as bug 108394. It will affect you only if your application causes the browser to make preflight CORS requests.

Work-around: Include Origin and Accept in the CORS Filter setting that lists the accepted request headers - see cors.supportedHeaders.

Origin, Accept

[d]zhuvinov [s]oftware

Main Software Overview About + Contact Download

JsWorld Online demo Quick start Use cases Features Numeric formatting Currency formatting Date/time formatting Parsing Supported locales

JSON-RPC 2.0 Overview Base Java classes Interactive shell Server Client Tips and tricks

CORS Filter Overview Installation Configuration Request tagging Specification Tips and tricks Browser bugs and quirks

Copyright © Vladimir Dzhuvinov, 2008 - 2023

[ software.dzhuvinov.com ]