Cross-Origin Requests (CORS) in Internet Explorer, Firefox, Safari and Chrome

In FireFox, Safari and Chrome

If your WebDAV server is located on a different domain, on a different port or using different protocol (HTTP / HTTPS) such requests are considered to be cross-origin requests and by default are prohibited by user agent. To enable such requests (Cross-Origin Resource Sharing, CORS) your server must attach the following headers to all responses:

Access-Control-Allow-Origin: http://webdavserver.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: PROPFIND, PROPPATCH, COPY, MOVE, DELETE, MKCOL, LOCK, UNLOCK, PUT, GETLIB, VERSION-CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, REPORT, UPDATE, CANCELUPLOAD, HEAD, OPTIONS, GET, POST
Access-Control-Allow-Headers: Overwrite, Destination, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control

This headers will enable cross-origin requests in FireFox 3.6+, Safari 4+ and Chrome 4+. Older versions of this browsers do not allow CORS requests.

Important! Firefox and Chrome require exact domain specification in Access-Control-Allow-Origin header. For servers with authentication these browsers do not allow "*" in this header.

Optionally you can also attach the Access-Control-Max-Age header specifying the amount of seconds that the preflight request will be cached, this will reduce the amount of requests:

Access-Control-Max-Age: 3600

In Internet Explorer

Internet Explorer ignores Access-Control-Allow headers and by default prohibits cross-origin access for Internet Zone. To enable CORS go to Tools->Internet Options->Security tab, click on “Custom Level” button. Find the Miscellaneous -> Access data sources across domains setting and select “Enable” option.

If your server is located in Intranet Zane by default IE will pop the confirmation dialog during first cross-domain request: “This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?”. To suppress this warning you will need to set the "Access data sources across domains" setting to "Allow".

 

Cross-Origin Requests with Authentication

If your WebDAV server is using Basic, Digest or Integrated Windows Authentication (IWA) a user agent may imply additional limitations. Below is the table describing authentication types support for cross-origin WebDAV requests:

 

IE

Firefox

Safari

Chrome

Basic

+1

+2

+3

+

Digest

+

+2

+3

+

IWA

+

+2

+3

+

 

Important!
1 - Internet Explorer on Windows 7 and Windows Vista by default require SSL connection for Basic authentication. Details about how to overcome this limitation could be found here.
2 - Firefox requires OPTIONS request to be unauthenticated when cross-domain requests are used.
3 - Safari never displays login dialog for cross-origin requests. To display login dialog GET request must be sent via iframe. See below.

 

Cross-Origin Request with Authentication in Safari

To display login dialog for cross-origin requests in Safari the browser must first sent GET request. This request cannot be sent via XmlHttpRequest but only via directly accessing server, for example via iframe. The iframe onload event always fired after user enters credentials to login dialog. Only when iframe onload event fires the Ajax library can sent requests. If authentication fails onload event never fires.