CORS DELETE request via XHR in IE9 or older is permitted

Question

Based on all of the documentation I have read on CORS support in IE9/IE8, it seems quite clear that:

1. You cannot initiate a CORS request in these browsers using XMLHttpRequest. You must use IE's proprietary XDomainRequest.
2. XDomainRequest does not support preflighting. My understanding of this limitation suggests that you can only send POST or GET CORS requests and these requests may only contain simple headers. Furthermore, there are other very odd limitations Microsoft has put on XDR requests, but that's not entirely important here.

So, what I have is a page at http://192.168.1.1:8080. Using XMLHttpRequest, I was attempting to send a DELETE request to http://192.168.1.1.9000. I fully expected this to fail. I was just doing a sanity check before I re-thought the associated request to ensure that it would work for CORS requests once I switch to use of XDR. Again, I am using IE8 here.

var xhr = new XMLHttpRequest();
xhr.open("DELETE", "http://192.168.1.1:9000", true);
xhr.send();

Oddly enough, the request seemed to succeed. The DELETE action handler was hit on the server at port 9000. I returned a response, and I was able to access responseText on the XHR object instance.

I can't imagine why this actually worked. It seems like it shouldn't have, unless I am missing something here. Does anyone have any ideas?

Answer 1

After some investigation and testing, I came to realize that IE does not properly follow to the definition of "same origin" codified in RFC 6454 Section 5. In particular, IE considers two addresses with differing ports to be the same origin, provided they also use the same protocol and host. The RFC specifically states that the port should also be considered.

Microsoft does not properly comply with this RFC in all versions of IE, including IE10. Surprise, surprise. So, in IE10 and older, the behavior I observed is expected. In all other browsers, it is not.