I'm using plupload to upload files to an ASP.NET WebAPI service. It works fine in Chrome, and it works fine in IE8/IE9 on my development machine. When I connect to the website on the actual server, however, uploading a file causes plupload's error handler to fire with an error code of -400 and an error message of "Security Error."
Looking at the response and request headers everything looks ok. The response even contains the correct return value! I'm guessing this has something to do with using https, but I'm not sure and it does work correctly in Chrome. (Firefox has a completely different issue, but seems to at least get the data back unlike IE.)
I'm wondering it has something to do with the request Accept header, which is:
Accept application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
The response header's Content-Type is text/html because application/json causes IE to want to save the response rather than pass it back to the script.
So what is this "Security Error" and why am I getting it? More importantly why am I getting it even though the response seems to be coming back correctly? Even more importantly, how do I fix it?
EDIT: OK, so more information. Apparently IE9 uses the html4 runtime for plupload, which uses an iframe to handle the file upload. When the data returns and it tries to access the HTMLIFrameElement IE9 gives an "Access is denied" error. I understand it's to help prevent xss errors, BUT it seems like reading from an iframe should be safe...
So anyone know a way around it?
It turns out that both IE8 and IE9 use plupload's HTML4 runtime, rather than the HTML5 runtime. The HTML4 uptime works by rendering a hidden iframe in order to handle the upload. The problem here is that IE8/9 disallow access to that iframe in order to prevent XSS attacks, so when plupload tries to read the result of the upload we get that security error.
The solution is basically to keep the web service available at the same URL as the page calling it. In my case, I just configured a virtual application in IIS that points at the web services site (which happen to be on the same server, but I think it can work with two different servers as well.)
Creating a virtual application in the same site allows you to refer to the primary site's URL while still getting content from the secondary site.
来源:https://stackoverflow.com/questions/14429523/why-am-i-getting-a-security-error-from-plupload-on-ie8-ie9-when-uploading-over