Internet Explorer 10 is ignoring XMLHttpRequest 'xhr.withCredentials = true'
I’m currently having an issue with a cross-domain ajax call using IE10 (in IE10 mode, not compatibility).
Situation: I have two domains, http://a and http://b. I have a cookie set for http://b. I am currently on page http://a.
I want to do a CORS request to http://b using XMLHttpRequest (which should work, according to http://blogs.msdn.com/b/ie/archive/2012/02/09/cors-for-xhr-in-ie10.aspx), and include the cookie in the request. The JS is as follows:
var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://b', true); xhr.withCredentials = true; xhr.send();
This should ensure that the cookie is attached to the request; however, the Fiddler trace shows that no cookie is attached, and I get 401: Access Denied.
The server is configured to work with CORS, it includes the Access-Control headers:
Access-Control-Allow-Origin: http://a Access-Control-Allow-Credentials: true
(this should not make any difference, since there is no OPTIONS preflight request, and the first request IE sends is a GET, and the cookie is not present, thus causing a 401).
Furthermore, the JS snippet works fine in both Firefox and Opera.
It's probably the same old IE P3P issue. With IE's default settings, if a cookie is set without a P3P header also present in the response, the cookie is marked as "first-party only". Which means that in a third-party context, such as an iframe or a CORS request, IE will refuse to send the cookie.
To fix it, you need to supply a P3P header when setting the cookies. See http://msdn.microsoft.com/en-us/library/ms537343%28v=vs.85%29.aspx for details.
Update: Link is now dead, but you can see it at the Internet Archive
I had a similar problem, and it turned out that the browser settings were blocking third-party cookies (IE10 > Internet Options > Privacy > Advanced > Third Party Cookies > Accept). To solve the problem, I checked "Override automatic cookie handling", "Accept" (Third-party Cookies) and "Always allow session cookies."
We added a header Vary : cookie and it worked..