config.useXDomain to use XDomainRequest/CORS in IE #1047
Conversation
|
will this work in $resource? |
|
No. =/ The $resource calls $http with the same params: 'method', 'url' and 'data'. I keep this behavior on it, so we cant pass the additional param 'useXDomain' |
|
You can use $http.defaults.useXDomain = true ;) |
|
@mhevery merge this pull request as soon as possible please!! |
|
Is it so, @http.defaults.useXDomain = true will solve it for $resource? |
|
@kvirkki in this pull request, it only works to $http. But i can implement it to $resource too, its very simple :) |
|
@ricardohbin that would be sweet! :) |
|
if this is the solution to using $resource to access cross-site resources (such as a 3rd-party RESTful web service) then please pull it. |
|
"$http.defaults.useXDomain = true" now works as expected, using $resource or $http =D |
|
Hey Ricardo, do you have an example of this working ? A jsfiddle maybe ? I am keen to have $resource work cross-domain |
|
@johnoscott sure! Check this: http://jsfiddle.net/ricardohbin/E3YEt/ |
|
@ricardohbin It doesnt seem to work for me (Chrome for Windows) when i use my http rest endpoint. See http://jsfiddle.net/johnoscott/JJE8b/3/ Hey would you mind discussing this on the angular group list ? I have started a discussion here : |
|
@johnoscott to CORS works, you need to set Access-Control-Allow-Origin header in response. I dont detect it on yours. |
|
Sorry for the delay, we are going thorough our PR backlog and we need CLA signed before we can accept this. Thanks for your contribution! In order for us to be able to accept it, we ask you to sign our CLA (contributor's license agreement). CLA is important for us to be able to avoid legal troubles down the road. For individuals (a simple click-through form): For corporations (print, sign and scan+email, fax or mail): |
|
Could we change this so that we don't have to use $http.defaults.useXDomain = true. The implementation should simply default to XDomainRequest on IE if CORS is needed. I am not sure what does the additional flag buy us. |
|
I think the principled approach should be that Angular hides Internet Explorer 8 (and later)'s proprietary implementation of cross-domain requests (their XDomainRequest object) and just does the right thing when using $http and $resource. I have just spent a few days properly understanding - and implementing CORS on my server. I originally thought that Angular didn't support CORS at all and this pull request was a fix for all browsers - I was mistaken. This is just a fix for IE (as the title clearly states) and Angular does indeed support CORS out of the box when the server is configured correctly. I really don't want to have any browser checks in my Angular app to enable proprietary features. It should just work. So my suggestion here is that for ie8, their XDomainRequest is just used by default for cross-site requests and their is no configuration required. |
|
Hi @johnoscott and @mhevery, thanks for feedback! I didnt make the XDomainRequest as default because it has some some restrictions compared to XHR. Yes, CORS works on it, and this is fine. But it only works with GET/POST, only text/plain is supported for the request's Content-Type header and few more limitations. This link explain them very well: http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx If we force IE8/9 to always use XDomainRequest, many benefits of XHR will be lost (like consume RESTful resources). Maybe a fallback to avoid this flag? PS: already signed CLA. Thanks :) |
|
Looked at the documentation and there seems to be no hope to make this work with CORS and most sites, and we don't want to maintain IE specific API. As much as we would like this, it is not going to happen. :-( |
|
I created a jsFiddle: http://jsfiddle.net/Xrdvm/1/ |
|
Theres some reasons why it doesnt works:
Maybe, if you fix these points, it will works on IE. Just remembering: the XDomainRequest doesnt works well with REST, how I said above :) |
|
@tomagladiator the resource needs mine angular script too |
|
@tomagladiator you fix the HTTP vs HTTPS that I mentioned? |
|
@ricardohbin |
|
@matohawk in this case, maybe a backend proxy is really the best approach. You request it, and it pass the request to the other-domain services :) |
|
@ricardohbin |
|
Ok, so basically it is impossible to issue CORS requests (cross browser) with Angular's $resource/$http, especially when it's from HTTP to HTTPS? I'm on 1.0.8 stable. |
|
@CMCDragonkai in IE < 10, yes. |
|
Is there a quick work around, because I need it for IE9. |
|
@CMCDragonkai I have a fork of this PR https://github.com/ricardohbin/angular.js/tree/useXDomain , but the angular version is a bit old. |
|
Can you point to the relevant areas or files? Or would it be better to just jury rig something with jquery? |
|
I uses cross domain request merely for fetching templates stored on the S3 bucket. Inspired by the flXHR solution mentioned by @walski in #934 ,I replaced Here is the patch I created as a drop-in replacement for It must be loaded before angular because inside angular it keeps a copy of |
|
wtf, angular does not support CORS in IE 8 or 9? wow |
|
I am with v1.1.4 stable. I know that its a CORS problem because when I change in Internet Explorer Options -> Security -> Custom Level -> Miscellaneous -> Access data sources across domains to ENABLED it works. |
|
@jonymusky use the changes that I made in my PR. This files => https://github.com/ricardohbin/angular.js/blob/useXDomain/src/ng/httpBackend.js https://github.com/ricardohbin/angular.js/blob/useXDomain/src/ng/http.js |
|
Thanks. But when I see the headers there are: But for any reason the request of the file is using OPTIONS method and not GET for example. thanks. |
|
Every CORS ajax do an OPTIONS "preflight" to check it destination headers. Probably this preflight has some error, and are failing your request. You are sending ajax with X-Request-With? |
|
Yes I send the X-Request-With with Ajax but the problem is in templateUrl that use a template from other domain and I am using an i18n module that use a json file from other domain. |
|
@ricardohbin I added one more try catch for IE to your patch. try { return new ActiveXObject("Microsoft.XMLHTTP"); } catch (e4) {} And this patched solved the CORS problem I was having in FireFox. Why isn't this included yet? |
|
@ricardohbin With your patch and o version 1.08, all the IEs give the response 'Error'. No error message besides that, and the only thing in the console is a log message that happens at page load: Log: Given Url cannot be accessed because it is not in the application's configuration. Do you have any idea of a work around using your patch for this? Also, if I remove $httpProvider.defaults.useXDomain = true; it works in IE10, but will break when it's included. |
|
Made another small fix. IE10 does not need to use XDomainRequest, a conditional could be added to check for the version of IE. IE10 works again but IE8 and IE9 still throws the generic 'ERROR' from your 500 error code implementation.. var XHR = window.XMLHttpRequest || function() { function isIE () { |
|
This is a huge issue for an application we're developing right now. We really need to be able to do cross domain requests to our API subdomain. I really don't want to customize the angular code itself. Is there not a plugin or some other workaround? We tried using the xdomain.js approach, but that threw more Access Denied errors. |
|
@pf-tara-maxwell take a look at #934 folks have outlined several work arounds there. |
|
Yeah, I've looked at that thread quite a few times, now. And I tried the XDomain.js proxy solution, but it throws a different "Access Denied" within it's code. |
|
Quite frankly (as someone who solved that issue himself) I would strongly suggest for you to enable JSONP instead. If that is not an option I might be able to help with the flXHR solution. It requires Flash on old browsers, though 😱 |
|
It would be great if we could use JSONP, but that is not an option with our current Restful API setup. We also can't really use the flXHR approach because it only works for Gets, and Posts. We have dropped support of IE7, but we still really need to support IE8 and especially IE9. 😢 |
|
So what I did there for the POST only nature of flXHR is adding something like the Ruby on Rails magic If all of that is not an option, you could try to setup a proxy under the same domain as the website which tunnels requests to your backend. Would one of these work? |
|
I'm trying the proxy approach, for now; but it will probably throw up some security concerns by our IT department. I think in the long term we're going to need to add some .Net MVC controllers in the same domain to make the API calls on the backend. Unfortunately, I'm getting a lot of slack over choosing to go with Angular for the majority of the application and just using .Net MVC for the authentication handling. It looks like we might should have used Angular with more of a MVVM pattern instead of MVC from the get go. But I didn't realize at the beginning of the project that we would be making cross-domain requests for all of the API calls and that it would be such an issue in IE 9 and below. It's possible that I can convince the product owners to drop support of IE8 in the near future, but probably not IE9. |
|
👍 Your position pretty much sounds like where we've been 9 month ago: Everything built around cross-domain XHR and then IE≤9 comes along ;) Hope you manage to get around this! |
A new config param to use with $http. When true, IE uses XDomainRequest instead of XMLHttpRequest, useful to use CORS