CORS issue between subdomain on IE

Question

I have 3 subdomains clients.mywebsite.com, admins.mywebsite.com, api.mywebsite.com

api.mywebsite.com is the restful service consumed by the other two websites. When calling the API from the websites I got some cross origin issues. I was able to fix this issue on most browsers by setting 'Access-Control-Allow-Origin', '*' at the API. But in Internet Explorer this issue remained the same.

I was able to fix this manually by enabling CORS (this is turned off by default) in IE

Alt -> Tools -> Internet Options -> Security (Tab) -> Custom Level -> Miscellaneous -> Access data sources across domains -> Set to Enable

And then from the console of the IE debugger I tried a GET request

var xhttp= new XMLHttpRequest();
xhttp.open("GET", "https://api.mywebsite.com/v1/", true);
xhttp.send();

after that, all the GET and POST request started working normally and I was able to log in. I can't make the clients configure IE in such a way. What are some alternate solutions ?

Answer 1

In IE 9 and earlier you could use the way you using to configure IE to deal with CORS issues. In IE 10+, your server must attach the following headers to all responses:

Access-Control-Allow-Origin: http://example.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: ACL, CANCELUPLOAD, CHECKIN, CHECKOUT, COPY, DELETE, GET, HEAD, LOCK, MKCALENDAR, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, REPORT, SEARCH, UNCHECKOUT, UNLOCK, UPDATE, VERSION-CONTROL
Access-Control-Allow-Headers: Overwrite, Destination, Content-Type, Depth, User-Agent, Translate, Range, Content-Range, Timeout, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Location, Lock-Token, If
Access-Control-Expose-Headers: DAV, content-length, Allow

Optionally you can also attach the Access-Control-Max-Age header specifying the amount of seconds that the preflight request will be cached, this will reduce the amount of requests:

Access-Control-Max-Age: 3600

You could refer to this link about implementing CORS for a specific server.

If you don't want to use the way you using, you could refer to this article to bypass CORS:

The way we can bypass it is, rather calling the API from your browser to the other domain, call your own domain API (for example /api) and at nginx (or any other web server) level proxy it to the destination server.