CORS Filter

Browser Bugs and Quirks

The browser world has improved considerably in recent years in adhering consistently to W3C standards, but it's still not entirely there yet. To get your CORS application to function across all major browsers you'll have to make a few small tweaks and compromises.

Limitations imposed by Internet Explorer 8 + 9

Microsoft IE engineers were reportedly concerned about security and chose deliberately to restrict the capabilities of their CORS implementation. These restrictions are listed in great detail in Eric Law's MSDN blog article XDomainRequest - Restrictions, Limitations and Workarounds.

This effectively makes MS IE the lowest common denominator of all browser CORS implementations. So if you want to build a cross-domain application that works across all popular browsers, you'll have to fit into the following mold:

Update February 2012: Good news for developers! Internet Explorer 10 is expected to bring full CORS support through the XMLHttpRequest object as other browsers do. Read the MSDN article.

Google Chrome Bugs

In recent months I received a number of messages from CORS Filter users complaining about problems with Chrome which were eventually traced to a buggy browser implementation. Fortunately there is an easy work-around.

Chrome mistakenly includes Origin and Accept in the Access-Control-Request-Headers (still open as of April 2013)

This is reported as bug 108394. It will affect you only if your application causes the browser to make preflight CORS requests.

Work-around: Include Origin and Accept in the CORS Filter setting that lists the accepted request headers - see cors.supportedHeaders.

Origin, Accept