CORS request failure with jQuery using withCredentials and client certificates

Question

I can't figure out why this CORS request is failing to return data.

I'm using Catalyst MVC on the backend, Firefox 24.0 as a browser. jQuery 1.9.1. Please note the following:

1. otherdomain.com requires a client certificate.
2. hitting the resource directly returns expected data. ( https://otherdomain.com/resource/1 ) returns proper data.

I have a simple page that tests the request:

<script type='text/javascript'>
                function get_data() {
                        console.log("running");
                        $.ajax({
                                url: "https://otherdomain.com/resource/1",
                                dataType: 'json',
                                type: 'GET',
                                xhrFields: {
                                        'withCredentials': true
                                },
                                crossDomain: true
                        }).success(function(data) {
                                console.log(data)
                                $('#output').html(data);
                        }).error(function(xhr, status, error) {
                                alert("error");
                                console.log(xhr);
                        });
                }

    $(document).ready(function() {
            get_data();
    });
    </script>

</script>

Here are my request headers:

GET /resource/1 HTTP/1.1
Host: otherdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://mydomain.com/test.html
Origin: https://mydomain.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Here are my response headers. (copy of view source from firebug console) I see on my catalyst debug output that the request is served as 200 OK and the content is sent.

HTTP/1.1 200 OK
Date: Mon, 28 Oct 2013 19:31:08 GMT
Server: HTTP::Server::PSGI
Vary: Content-Type
Content-Length: 653
Content-Type: application/json
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1800
X-Catalyst: 5.90030
Via: 1.1 otherdomain.com

And the error is thrown from the ajax call:

readyState: 0
responseText: ""
status: 0
statusText: "error"

firebug shows the response body as empty from the request event though it's a 200 OK.

I thought that when using 'withCredentials' a pre-flight request was required but I don't see an OPTIONS being sent via firebug.

Also, i can see no Access-Control-Request-Header being added by my request, so I'm not returning any Access-Control-Allow-Headers from the server.

Now, the frontend of Catalyst is Apache2, and I'm using proxypass in a virtual host to send the request to catalyst on localhost:8080. I'm not sure if that has any bearing but thought it might be important. It should be transparent to the browser though.

Thanks for any help!

Answer 1

1. GET requests are not preflighted. See Here
2. When responding to a credentialed request, server must specify a domain, and cannot use wild carding. (must not be Access-Control-Allow-Origin: *). See Here

Answer 2

I have a similar issue, where everything works fine in Chrome, but I get 405 for all cross-domain requests in Firefox (and similar problems with IE). I tried adding xhrFields, and the crossDomain flag. I am also using beforeSend to actually do an xhr.withCredentials = true . I made sure that I have hostname match on the service backend. I use the Access-Control-Allow-Credentials header.

The one thing that might be different... I only send these headers when the Origin header is present, because if I don't get Origin, my only response for Access-Control-Allow-Origin could be * because I would not know what the origin is.