Update posts/cors.md

[toddself]

It should be mentioned that IE8 and IE9 do not let you use CORS if your page is loaded from an HTTPS source.

It's a massive pain in the ass (and definitely caused me several frustrating debugging hours).

[paulirish]

whaaat

@mhausenblas

[toddself]

Load a page from an https URL in IE8 or IE9.

Attempt to make an XDR request from that page to another host correctly
configured for CORS.

It will fail because you cannot make an XDR request in IE 8 or 9 from a
page served over HTTPS.

You get no error or warning it just failed silently.

This should be noted on this section because its a pain in the ass to
figure out what's going on.

On Oct 20, 2012, at 17:52, Paul Irish notifications@github.com wrote:

whaaat

@mhausenblas https://github.com/mhausenblas

—
Reply to this email directly or view it on
GitHubhttps://github.com//pull/216#issuecomment-9637211.

[mhausenblas]

To be brutally honest with you guys: I don't have a friggin clue why this is the case but maybe @monsur does?

[toddself]

Why what is the case?

Why you can't use the XDomainRequest object in IE to retrieve documents from a foreign host over HTTPS when your page has been served from an HTTP server?

To quote from the IEInternals Blog at MSDN

However, this restriction is overly broad, because it prevents HTTP pages from issuing XDomainRequests targeted to HTTPS pages. While it’s true that the HTTP page itself may have been compromised, there’s no reason that it should be forbidden from receiving public resources securely.

In Chrome, Firefox, IE10, Opera, Safari, etc this is possible.

In IE8 and IE9 it is not.

The CORS section of the site should explain the fact that these requests will fail and will fail silently.

Additionally, the XDomainRequest object in IE8/9 is unable to set any additional headers or mime-types. Being that a common use-case for using a CORS-type request is via some sort of API, if that API requires OAuth to present Authentication credentials (via the Authorization: OAuth [token] header), this additionally will be impossible. The API service would need to be able to obtain the authentication credentials from an alternate source than the Header.

[mhausenblas]

Thanks, @toddself - added it to enable-cors.org staging area ...

[robwierzbowski]

@toddself ping. We've run into this recently on the application I work on. Would love to hear of any workaounds you've found, and if none to revise this PR and get it merged.

[toddself]

@robwierzbowski The work around is quite a pain. You'll need to load an iFrame from your HTTPS site that you want to communicate with then use postMessage to handle the communication across the domains, and then have the iframe do the communication.

I feel the wording in the suggested change is rather clear -- CORS over HTTPS does not work in IE8 and IE9, even using an XDomain object. Not sure what else needs to be cleared up in order for this to be merged.

[arthurvr]

Since it's opened 2 years ago, somebody who wants to update this PR a little?

@toddself Would you like to update stuff?

[toddself]

The issue is that you cannot make a cross domain request via https regardless of what protocol the original page is served in IE 8.

On Dec 18, 2014, at 11:14, Monsur Hossain notifications@github.com wrote:

So reviewing this thread, I don't think the issue is that IE8/9 can't make CORS requests to https, its that XDomainRequest can't cross schemes. So an http client can't make a request to an https server, and vice versa. I can update the client page with the full list of XDomainRequest limitations. (Sorry for not addressing this early, I actually missed it the first time around).

—
Reply to this email directly or view it on GitHub.

[monsur]

Is there a repo case of this? I thought https->https CORS worked with XDomainRequest.

[Imran-imtiaz48]

Review Comment:

Your update to the cors.md file is clear and informative. Adding the note about IE8 and IE9 not supporting CORS over HTTPS is a valuable addition, as it provides important context for users dealing with legacy browsers. The link to the MSDN blog for more details is also a helpful resource. Great job!

Suggestions for Improvement:

1. Formatting the Note:

   • Consider adding a visual distinction for the note. You could use Markdown's blockquote to highlight the note:

     > **Note:** IE8 and IE9 do not support using [CORS over HTTPS](http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx).

2. Link Text Consistency:

   • Ensure all your links have consistent formatting. For example, instead of:

     [XDomainRequest](http://msdn.microsoft.com/en-us/library/ie/cc288060(v=vs.85).aspx)

     consider using:

     [XDomainRequest](http://msdn.microsoft.com/en-us/library/ie/cc288060(v=vs.85).aspx)

     This makes the document look cleaner and more professional.

3. Expanding on CORS Explanation:

   • While your current explanation of CORS is good, you might consider adding a brief example or use case to illustrate when and why CORS is necessary.

4. Check for Broken Links:

   • Periodically verify that external links are still active and correct. The link to MSDN and the IE Internals blog should be checked for availability.

Overall, your changes are highly useful and improve the documentation significantly. With a few minor tweaks, it will be even better!

[toddself]

no it's ok this pr is dead. it's been over a decade, with a clear warning "this is broken in these browsers" with no one ever approving it or providing feedback when asked