mikew mikew - 17 days ago 5
Ajax Question

CORS request failure with jQuery using withCredentials and client certificates

I can't figure out why this CORS request is failing to return data.

I'm using Catalyst MVC on the backend, Firefox 24.0 as a browser. jQuery 1.9.1. Please note the following:


  1. otherdomain.com requires a client certificate.

  2. hitting the resource directly returns expected data. (https://otherdomain.com/resource/1) returns proper data.



I have a simple page that tests the request:

<script type='text/javascript'>
function get_data() {
console.log("running");
$.ajax({
url: "https://otherdomain.com/resource/1",
dataType: 'json',
type: 'GET',
xhrFields: {
'withCredentials': true
},
crossDomain: true
}).success(function(data) {
console.log(data)
$('#output').html(data);
}).error(function(xhr, status, error) {
alert("error");
console.log(xhr);
});
}

$(document).ready(function() {
get_data();
});
</script>

</script>


Here are my request headers:

GET /resource/1 HTTP/1.1
Host: otherdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://mydomain.com/test.html
Origin: https://mydomain.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache


Here are my response headers. (copy of view source from firebug console) I see on my catalyst debug output that the request is served as 200 OK and the content is sent.

HTTP/1.1 200 OK
Date: Mon, 28 Oct 2013 19:31:08 GMT
Server: HTTP::Server::PSGI
Vary: Content-Type
Content-Length: 653
Content-Type: application/json
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1800
X-Catalyst: 5.90030
Via: 1.1 otherdomain.com


And the error is thrown from the ajax call:

readyState: 0
responseText: ""
status: 0
statusText: "error"


firebug shows the response body as empty from the request event though it's a 200 OK.

I thought that when using 'withCredentials' a pre-flight request was required but I don't see an OPTIONS being sent via firebug.

Also, i can see no
Access-Control-Request-Header
being added by my request, so I'm not returning any
Access-Control-Allow-Headers
from the server.

Now, the frontend of Catalyst is Apache2, and I'm using proxypass in a virtual host to send the request to catalyst on localhost:8080. I'm not sure if that has any bearing but thought it might be important. It should be transparent to the browser though.

Thanks for any help!

Answer
  1. GET requests are not preflighted. See Here
  2. When responding to a credentialed request, server must specify a domain, and cannot use wild carding. (must not be Access-Control-Allow-Origin: *). See Here
Comments