Why are CORS requests failing in Microsoft Edge but working in other browsers?

by

I’ll include below, verbatim, the answers that Eric Lawrence (creator of Fiddler) kindly provided on the Fiddler forum:

One possibility is that your computer is configured with an Intranet zone and that Intranet zone is dependent on a proxy configuration script: http://blogs.msdn.com/b/ieinternals/archive/2012/06/05/the-local-intranet-security-zone.aspx. When Fiddler is running, the proxy settings are pointed at Fiddler itself.

… there’s another factor at work here if you’re using an Intranet site as the target of an XHR from a site in the Internet zone.

Edge runs in Enhanced Protected Mode (AppContainer). That has a feature which blocks access to Private Network Resources from Internet-Zone processes. See the “Private Network resources” section of http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx for more details.

I added local.myapp.test (the URL I’m running my SPA from) to the Local Intranet zone in Internet Options and now Edge is happy without the need for Fiddler.

More Related Contents:

  1. How to resolve ‘preflight is invalid (redirect)’ or ‘redirect is not allowed for a preflight request’
  2. Access-Control-Allow-Origin wildcard subdomains, ports and protocols
  3. What is an opaque response, and what purpose does it serve?
  4. How to enable Cross domain requests on JAX-RS web services?
  5. Adding Access-Control-Allow-Origin header response in Laravel 5.3 Passport
  6. same-origin policy and CORS – what’s the point?
  7. What is the issue CORS is trying to solve?
  8. How to apply CORS preflight cache to an entire domain
  9. Why is Access-Control-Expose-Headers needed?
  10. Microsoft Edge blocked cross-domain requests sent to IPs in same private network CIDR
  11. XMLHttpRequest: Network Error 0x80070005, Access is denied on Microsoft Edge (but not IE)
  12. Are there any browsers that set the origin header to “null” for privacy-sensitive contexts?
  13. jQuery XML error ‘ No ‘Access-Control-Allow-Origin’ header is present on the requested resource.’
  14. Firebase Storage and Access-Control-Allow-Origin
  15. Access-Control-Allow-Origin error sending a jQuery Post to Google API’s
  16. Request header field Access-Control-Allow-Headers is not allowed by Access-Control-Allow-Headers
  17. Why am I seeing an “origin is not allowed by Access-Control-Allow-Origin” error here? [duplicate]
  18. How to enable cors nodejs with express?
  19. What security risks exist when setting Access-Control-Allow-Origin to accept all domains?
  20. Firefox ‘Cross-Origin Request Blocked’ despite headers [closed]
  21. API Gateway CORS: no ‘Access-Control-Allow-Origin’ header
  22. What are the integrity and crossorigin attributes?
  23. Spring Boot CORS filter – CORS preflight channel did not succeed
  24. CORS support for PUT and DELETE with ASP.NET Web API
  25. Axios having CORS issue
  26. Twitter API authorization fails CORS preflight in browser
  27. Disable cross domain web security in Firefox
  28. Getting Spotify API access token from frontend JavaScript code
  29. AWS CloudFront: Font from origin has been blocked from loading by Cross-Origin Resource Sharing policy
  30. Does Wikipedia API support CORS or only JSONP available?

Leave a Comment