Please help test a CORS issue in Firefox jQuery ajax when 401

Question

this is driving me nutters.

jQuery 1.4.2, windows XP sp3

Here is my test.

Load firefox 3.5+

http://plungjan.name/test/testcors.html

w

Answer 1

CORS with file://

If you have problems by allowing origins from the file:// protocol, according to The Web Origin Concept it should be done the same way as any other origins. I could not find information about the browser support, but I think every browser which is supporting CORS does support this one either.

The Web Origin Concept tells us the following about the file URI scheme:

   4.  If uri-scheme is "file", the implementation MAY return an
       implementation-defined value.

          NOTE: Historically, user agents have granted content from the
          file scheme a tremendous amount of privilege.  However,
          granting all local files such wide privileges can lead to
          privilege escalation attacks.  Some user agents have had
          success granting local files directory-based privileges, but
          this approach has not been widely adopted.  Other user agents
          use globally unique identifiers for each file URI, which is
          the most secure option.

According to wikipedia the domain by the file URI scheme is localhost. It is omittable by the address bar, but I don't think it is omittable in the allow origin headers. So if your browser implementation allows origin with a file URI scheme, then you should add file://localhost to your allowed origins, and everything should work properly after that.

This was how it should work, now meet reality:

• I tested with current firefox 29.0.1, and it did not work. However the file:// protocol is transformed into null origin by this implementation. So by firefox the null works. I tried with a wider domain list, but I did not manage to allow multiple domains. It seems like firefox does not support a list with multiple domains currently.
• I tested with chrome 35.0.1916, it works the same way as firefox did.
• I tested with msie 11.0.9600. By request from the file protocol it always shows an allow blocked content button, even by not allowing the null origin. By other domains it works the same way as the previous browsers.

HTTP basic auth:

The credentials part I tried out with PHP and HTTP basic auth.

http://test.loc
Displays :-) when logged in and :-( when unauthorized.

:-(';
}

if (!isset($_GET['logout']) && authorized()) {
    echo ':-)';
} else
    unauthorized();

So this code changes the location by login and logout.

Cross domain CORS with HTTP basic auth

http://todo.loc
Gets the content of http://test.loc with cross domain XHR and displays it.

cross domain ajax

Requires headers by http://test.loc:

Access-Control-Allow-Origin: http://todo.loc
Access-Control-Allow-Credentials: true

Cross scheme CORS with HTTP basic auth

file:///path/x.html
Gets the content of http://test.loc with cross scheme XHR and displays it.

cross scheme ajax

Requires headers by http://test.loc:

Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true

Conclusion:

I tested cross-sheme CORS with credentials called from file:// and it works pretty well in firefox, chrome and msie.