XDomainRequest Vs XMLHttpRequest on IE8 and IE9

StackOverflow https://stackoverflow.com/questions/18077182

Question

I am very confused with the XMLHttpRequest and the XDomainRequest reincarnation and would like some help. So here are my findings:

  1. The XDomainRequest in IE8 and IE9 seems to be some kind of XMLHttpRequest sub class(?)
  2. The XDomainRequest lacks the "withCredentials"
  3. The XDomainRequest lacks the "onLoad" event forcing you to use state and status IFs - EDIT: This is not exactly true. onLoad is available if you instantiate the XDomainRequest in IE8 and IE9. If you instantiate an XMLHttpRequest in EI8 or IE9 though, the onLoad is not available. We will see below why this is important.
  4. Also, it submits data as plain/text and not as form forcing you parse you inputstream at the back end.
  5. Even if the CORS server "Allow-Headers" directive allows for the Set-Cookie to be read by the client, the XDomainRequest does not expose it making impossible to use cookie stored session iDs to be used for authentication.
  6. Finally if I am not wrong, it allows only POST and GET http methods rendering it useless for RestFull web services.

This list is by no means complete and as I said it is based on my findings. However, here is where the confusion starts. I have an application where via Ajax I must:

  • Obtain (cross domain) via GET an encryption key along with a session id associated with it.
  • Encrypt my user password using this key (no problem here)
  • Login to the cross domain (where I got the key at step 1) using the POST and x-www-form-urlencoded username and the encrypted password.

Now for all the above reasons I cannot do this with the XDomainRequest:

  • First because the XDomainRequest:open(method, url) sends only plain text and my third party application is expecting form (I can write a filter/request interceptor but this is not the point).
  • Because my session id that arrives with the encryption key through the Set-Cookie header (step 1) is never sent back to the cross domain when login as a header since the XDomainRequest does not expose headers.

Nevertheless if in IE8 and IE9 I instantiate a XMLHttpRequest disregarding all these checks described here, all is working fine!!! OK I do not get the onload event and I am not sure what is the story with the "withcredentials" but IE8 and IE9 seems to have no problem using the XMLHttpRequest for cross domain. But why? Aren't all these contradictory? I am just trying to make some sense of this issue as I am afraid that using the XMLHttpRequest in IE8 and IE9 may come back and bite at some point. Could I ask for a clear example when someone can use the one and not the other? Even better, was there ever any update to IE8 and IE9 that addressed the problem?

Any help will be greatly appreciated Yiannis

Was it helpful?

Solution

First note this:

IE11 deprecates the XDomainRequest object and it is not available in IE11 Edge mode.

1) What is XDomainRequest and why IE has this object? Several years ago then XMLHTTPRequest 2 spec was developing by W3C all browsers build level 2 over XMLHTTPRequest level 1 Microsoft create the XDomainRequest. So XDomainRequest is not a subclass, this is a non-standard IE feature.

2) Yes, XDomainRequest lacks the "withCredentials". Because:

In order to prevent misuse of the user’s ambient authority (e.g. cookies, HTTP credentials, client certificates, etc), the request will be stripped of cookies and credentials and will ignore any authentication challenges or Set-Cookie directives in the HTTP response. XDomainRequests will not be sent on previously-authenticated connections, because some Windows authentication protocols (e.g. NTLM/Kerberos) are per-connection-based rather than per-request-based.

4)

As of 2014, XDomainRequest doesn't appear to send any Content-Type header at all. It's not clear to me when this changed.

And etc. And so on... I post this answer just for history.

Do not use XDomainRequest. This is ugly&bugly non-standard feature.

More info here:

  1. http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx
  2. http://www.html5rocks.com/en/tutorials/cors/
  3. http://msdn.microsoft.com/en-us/library/ie/cc288060%28v=vs.85%29.aspx
  4. https://developer.mozilla.org/en-US/docs/Web/API/XDomainRequest

OTHER TIPS

but IE8 and IE9 seems to have no problem using the XMLHttpRequest for cross domain

This point is not true.The only way to send CORS in IE8/9 is to use the non-standard XDomainRequest.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top