Skip to content

Instantly share code, notes, and snippets.

@mathieucarbou
Created July 29, 2011 23:45
Show Gist options
  • Save mathieucarbou/1114981 to your computer and use it in GitHub Desktop.
Save mathieucarbou/1114981 to your computer and use it in GitHub Desktop.
jQuery CORS Plugin - transparently add CORS support for IE8+ in jQuery using XDomainRequest. Support cookies.
PROJECT MOVED TO https://github.com/Ovea/cors
/**
* https://gist.github.com/1114981
*
* By default, support transferring session cookie with XDomainRequest for IE. The cookie value is by default 'jsessionid'
*
* You can change the session cookie value like this, before including this script:
*
* window.SESSION_COOKIE_NAME = 'PHP_SESSION';
* window.SESSION_COOKIE_NAME = 'ID';
*
* Or if you want to disable cookie session support:
*
* window.SESSION_COOKIE_NAME = null;
*
* ================
* MINIFIED VERSION
* ================
* (function(c){if(c.browser.msie&&"XDomainRequest"in window&&!("__jquery_xdomain__"in c)){c.__jquery_xdomain__=c.support.cors=!0;var e=function(a){return"object"===c.type(a)?a:(a=/^(((([^:\/#\?]+:)?(?:\/\/((?:(([^:@\/#\?]+)(?:\:([^:@\/#\?]+))?)@)?(([^:\/#\?]+)(?:\:([0-9]+))?))?)?)?((\/?(?:[^\/\?#]+\/+)*)([^\?#]*)))?(\?[^#]+)?)(#.*)?/.exec(a))?{href:a[0]||"",hrefNoHash:a[1]||"",hrefNoSearch:a[2]||"",domain:a[3]||"",protocol:a[4]||"",authority:a[5]||"",username:a[7]||"",password:a[8]||"",host:a[9]||"", hostname:a[10]||"",port:a[11]||"",pathname:a[12]||"",directory:a[13]||"",filename:a[14]||"",search:a[15]||"",hash:a[16]||""}:{}},f=c.ajaxSettings.xhr,d="SESSION_COOKIE_NAME"in window?window.SESSION_COOKIE_NAME:"jsessionid",g=e(document.location.href).domain;c.ajaxSettings.xhr=function(){var a=e(this.url).domain;if(""===a||a===g)return f.call(c.ajaxSettings);try{var b=new XDomainRequest;if(!b.setRequestHeader)b.setRequestHeader=c.noop;if(!b.getAllResponseHeaders)b.getAllResponseHeaders=c.noop;if(d){var h= b.open;b.open=function(){var a=RegExp("(?:^|; )"+d+"=([^;]*)","i").exec(document.cookie);if(a=a&&a[1]){var b=arguments[1].indexOf("?");arguments[1]=-1==b?arguments[1]+(";"+d+"="+a):arguments[1].substring(0,b)+";"+d+"="+a+arguments[1].substring(b)}return h.apply(this,arguments)}}b.onload=function(){if("function"===typeof b.onreadystatechange)b.readyState=4,b.status=200,b.onreadystatechange.call(b,null,!1)};b.onerror=b.ontimeout=function(){if("function"===typeof b.onreadystatechange)b.readyState=4, b.status=500,b.onreadystatechange.call(b,null,!1)};return b}catch(i){}}}})(jQuery);
* ================
*/
(function ($) {
var ns = '__jquery_xdomain__',
sc = 'SESSION_COOKIE_NAME';
if ($.browser.msie && 'XDomainRequest' in window && !(ns in $)) {
$[ns] = $.support.cors = true;
function parseUrl(url) {
if ($.type(url) === "object") {
return url;
}
var matches = /^(((([^:\/#\?]+:)?(?:\/\/((?:(([^:@\/#\?]+)(?:\:([^:@\/#\?]+))?)@)?(([^:\/#\?]+)(?:\:([0-9]+))?))?)?)?((\/?(?:[^\/\?#]+\/+)*)([^\?#]*)))?(\?[^#]+)?)(#.*)?/.exec(url);
return matches ? {
href:matches[0] || "",
hrefNoHash:matches[1] || "",
hrefNoSearch:matches[2] || "",
domain:matches[3] || "",
protocol:matches[4] || "",
authority:matches[5] || "",
username:matches[7] || "",
password:matches[8] || "",
host:matches[9] || "",
hostname:matches[10] || "",
port:matches[11] || "",
pathname:matches[12] || "",
directory:matches[13] || "",
filename:matches[14] || "",
search:matches[15] || "",
hash:matches[16] || ""
} : {};
}
var oldxhr = $.ajaxSettings.xhr,
sessionCookie = sc in window ? window[sc] : "jsessionid",
domain = parseUrl(document.location.href).domain;
$.ajaxSettings.xhr = function () {
var target = parseUrl(this.url).domain;
if (target === "" || target === domain) {
return oldxhr.call($.ajaxSettings)
} else {
try {
var xdr = new XDomainRequest();
if (!xdr.setRequestHeader) {
xdr.setRequestHeader = $.noop;
}
if (!xdr.getAllResponseHeaders) {
xdr.getAllResponseHeaders = $.noop;
}
if (sessionCookie) {
var open = xdr.open;
xdr.open = function () {
var cookie = new RegExp('(?:^|; )' + sessionCookie + '=([^;]*)', 'i').exec(document.cookie);
cookie = cookie && cookie[1];
if (cookie) {
var q = arguments[1].indexOf('?');
if (q == -1) {
arguments[1] += ';' + sessionCookie + '=' + cookie;
} else {
arguments[1] = arguments[1].substring(0, q) + ';' + sessionCookie + '=' + cookie + arguments[1].substring(q);
}
}
return open.apply(this, arguments);
};
}
xdr.onload = function () {
if (typeof xdr.onreadystatechange === 'function') {
xdr.readyState = 4;
xdr.status = 200;
xdr.onreadystatechange.call(xdr, null, false);
}
};
xdr.onerror = xdr.ontimeout = function () {
if (typeof xdr.onreadystatechange === 'function') {
xdr.readyState = 4;
xdr.status = 500;
xdr.onreadystatechange.call(xdr, null, false);
}
};
return xdr;
} catch (e) {
}
}
};
}
})(jQuery);
@ngamradt
Copy link

One additional note, on our main website we still have 10% of our users on IE7, which doesn't have XDomainRequest. I don't want to have JSONP copies of my JSON just for those 10%. However, I found another project on github.com that would fix things for IE7 users (requires Flash, but hey, that's what you get for using that old of a browser). Perhaps merging it with your extension would make for one nice and powerful CORS extension for jQuery as I am sure others also still have to support IE7. The project in question is the following:

https://github.com/borisreitman/CrossXHR

If you feel it would be practical to do this merge/addition, just let me know and I will see if I can make some time to make a clean merge. Of course, if you like this idea and have time to make the change before I do, I won't be offended :-) Thanks again for your nice plugin.

@mathieucarbou
Copy link
Author

@tauren
Copy link

tauren commented Jul 30, 2012

At first I thought this might work for us to add CORS support in IE8+, but I don't think it won't work for my situation. We are using an HttpOnly "rememberMe" cookie for authorization. Because it is an HttpOnly cookie, the browser can't read the cookie, so there would be no way for the JS to rewrite the cookie into the request.

Any ideas? For our project, using HttpOnly cookies is a requirement that we cannot change. Looks like we're going to have to go with EasyXDM or something similar.

@mathieucarbou
Copy link
Author

Yes of course this is the drawback... HttpOnly cannot be used :-(

@mathieucarbou
Copy link
Author

Oups! Correction: it works ! We are both using this in 2 projects and yes it works. The reason is that with CORS on IE, since you cannot transport cookies in headers, they can be passed through the request parameters. Thus accessible on server-side (our remember-me implementation first check in request cookies then in request param to see if the rememberMe key is there).
Then if a remember-me cookie is changed or set on server-side, since IE CORS cannot sent the Set-Cookie header, the header is sent within the request body. This is done with our Java Cors Filter which enhances the request body and supports Gzip. So on clients-side, if some cookies are found in an enhanced request body, cookies are written with javascript and thus get back in javascript for next request.
So HttpOnly is clearly ignored for IE CORS to be able to keep sessions active and recover them.

@mathieucarbou
Copy link
Author

NB: you should check https://github.com/Ovea/cors. It is deployed in Maven repository.

@tauren
Copy link

tauren commented Jul 30, 2012

Thanks for the information, that is pretty slick. And I have been checking out the Ovea/cors project.

But I'm still not sure how it would solve our problem. We have a static html page. When the page loads, an AJAX call is made to get the current user information. So assume that the user logged in during a previous session and got a rememberMe cookie. Then another day, in a new session, he loads the page again and an AJAX call is made to load the current user. How would that ajax call pass the rememberMe cookie to the server?

@mathieucarbou
Copy link
Author

Our plugin does it automatically by getting the cookies previously registered for this domain.

@simonweil
Copy link

Hi,
I'm trying to set a cookie using your ie CORS solution but for some reason the cookie doesn't seem to be set in IE9.
I am using the setcookie PHP function to set the cookie.
Can you advise?

@danielrhodeswarp
Copy link

I don't get how this is supposed to work. Will it make the $.ajax() method magically support CORS on IE9 (by using the XDomainRequest)?

Because, when I add it into my codebase (by including the JavaScript after the jQuery JavaScript), IE9 CORS still does not work. I get a "Security error" alert.

Do I also need to tinker with the Access-Control-Allow-Origin type headers that the remote server returns?

@phornby
Copy link

phornby commented Apr 26, 2013

I'm having some issues. When the "resp" variable is created, my array comes back with an empty string for the header. I see that the method parseResponse is returning my empty header, but I have no idea why it's empty. Does the parseResponse method look for JSON formatted data? I'm currently using text/html when I do my GET. Any help would be great. Thanks for the plugin!

@NadavK
Copy link

NadavK commented Jun 30, 2013

This plugin is exactly what I am looking for to upload content to S3 on IE8/IE9.
But I am receiving an error from S3 "The specified method is not allowed against this resource" - the method is POST.
The error occurs on the first request to S3 (after I correctly receive the json data from my backend).
Any suggestions?

@tirsoh
Copy link

tirsoh commented Sep 5, 2013

I am having the same problem as phornby mention two posts above. Any ideas?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment