IE9 X-Frame-Options deny upload

StackOverflow https://stackoverflow.com/questions/17053893

Question

I'm in a big trouble here. I got a .Net MVC 4 application that uses Kendo UI as layout base and for upload too. The upload works fine on all browsers except on an IE9 (9.0) running on a Windows Server 2008 RC2 x64 - I don't really know if those info are important.

It gives me the error SCRIPT5: Access Denied when Kendo tries to send the async call. According to this post of a Telerik's Member in kendo UI Foruns, Kendo creates an iframe to make async uploads possible on prior versions to IE10.

I tryied adding a header on webconfig of the api:

<customHeaders>
    <add name="Access-Control-Allow-Credentials" value="true" />
    <add name="X-Frame-Options" value="ALLOW-FROM *"/>
</customHeaders>

The other headers for CORS are implicity set on a CORS Handler Class like this on api.

So I can see that header on the Response Headers on the IE request, so IE do retrieves it. I don't know the support - speciallly in IE - for the value ALLOW-FROM neither if it accepts *. But I tried using SAMEORIGIN value for that header and it doesn't worked and I have reason for it: My WebApi isn't on the same address as the Front-End. They're at different servers and addesses. The upload is sent directly to the Api on this url:

http://dev.******.com/webserviceapi/api/UserProfile/Upload

And the Front-End is in:

http://dev.******.com/portal/

The supressed content in url are the same for both addresses.

So I have no ideia how to achieve this. This error doesn't fit anything I've found on web. Any help will be very appreciated!! Thank you in advance.

Was it helpful?

Solution

I think it may be the opened state,

Use this

if (xhr.readyState == 1 /* OPENED */)

this is opened in server side, server connection opened, refer this

If you have used this class from msdn blog

public class ValuesController : ApiController

if the class is not public then also you might get error.. before CORS..

have you seen the second comment in the Blog...

jQuery.support.cors = true; you need to changed this to make it explicitly support the not supporting cross domai calls, the next comment says...

that flag tells jQuery to use an alternative object for making cross-domain calls if the browser doesn't natively support it on its XmlHttpRequest implementation. For example, in IE8 that will cause jQuery to switch from XmlHttpRequest to the **XDomainRequest** object (in IE10 they "fixed" it in a way that XmlHttpRequest can be used for all requests). Regardless of the object on the client, the server still needs to "play the game" and return the appropriate headers so that the browser will allow such requests to be made.

Yes the post from Teleric Team Member is logically perfect, but each IE has its own way to deal with events and system, (painfully, this is one of that..BUG) I have not found list of bugs of IE9 yet but have one link that states IE8 bugs just refer if that relates, this is useful as we know what we need to deal with.. :)

Try readyState == 2 if that works fine..

I think there must be some small thing that you must be missing..

refer second article from same author on msdn blog

refer this if that helps quirkmode

I am not regular user of mvc so can't judge this situations other aspects properly..

I am looking for other reasons, will post if find something related..

I hope this will help...

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top