This has been a bit of a nightmare, once you start you will find hundreds of stackexchange articles about this and the problems you will have.
So here are some key things.
Below IE11 ? (maybe 10) CORS support was provided with the XDR object and this wasn’t automatically used in libraries like jQuery so your jQuery stuff wont work because IE doesnt use the proper XMLHttpRequest objects or what it has is borked. Till now at least. So IE11 right!.
There is some simple code you need in your .NET project.
This extract of System.webserver is needed (Dont just paste this you have to insert it into an existing section of your web.config.
This will allow ANYONE to connect. So go read up what each of these attribute do.
What they will do together is all get added to the HTTP headers returned to the server on all items, yes including your aspx pages, now feel free to work out how to restrict that, I had enough by this point and my site only has two things on it both needing this.
<!-- CORS Enabled -->
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Headers" value="origin, content-type, accept" />
<add name="Access-Control-Allow-Credentials" value="true" />
<add name="Access-Control-Max-Age" value="31536000" />
Next you will need a global.asax (not a global.aspx.cs like some guides refer to)
The function Application_BeginRequest is one of those that gets called as part of the request lifecycle.
What we are doing here is handling the case when you are doing a non-standard request which for SOAP services will actually be “text/xml;”
Having a non-standard request initiates part of the CORS protocol that does what they call a pre-flight request, to ask the server, “is this allowed or what?”, you are reponding with a A=OK matey.
protected void Application_BeginRequest(object sender, EventArgs e)
if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
HttpContext.Current.Response.StatusCode = 200;
Thats its. That’s all you need to do server side to do this.
A matching client side request might look like this
contentType: "text/xml; charset="utf-8"",
For me all this started working. I did all my mappings, and pushed my array into knockout observables and Chrome was working brilliantly.
Then came IE. The pain, the endless searches.
Whilst debugging this I could see my “options” (preflight) request was being made and IE reported no headers returned. Which was nonsense cos chrome was doing it and working.
I rewrote that C# code over and over with many alternatives. Chatted to a nodejs bloke who showed me his code, which did exactly the same (well close enough).
That code works.
I saw articles that said that the website your connecting has to be in the Intranet security zone. Bullshit! If that’s the case how can you connect to yahoo or any other CORS compliant service.
So the one to watch when your developing this stuff. SELF CERT SSL.
If you have created a self cert and you browse to the service in IE and its got a RED un trusted cert and it will to begin with, this wont work. The confusing part is the chrome doesnt care, and also IE issues and gets the OPTIONS http request, instead of throwing an error before hand, it shows a 200 status, but it has to issue a request to know its not secure, its why it doesnt show any headers in the network analysis I suspect because at that point it just goes “eeek” and stops.
So export your certificate, dont next next next it, export it specifically to “trusted root” * DO THAT AT YOUR OWN RISK, if your not sure dont do it and go buy a proper cert to get this working.
Close your browser and check it worked by navigating to the service endpoint in the browser, if its not red it worked, if it is go do it again, but right.
With all this done you ajax call from IE11 should work with CORS.
If it don’t well good luck :-).