There is a problem: when authorizing on one resource (for example, a.com) you need to quietly (via jQuery-ajax) authorize on another resource (b.com) - the user base of both resources is common. In this case, the js-code is written on the authorization page
var form = jQuery('#auth_form'); var data = form.serialize(); var url = 'http://www.b.com/auth'; jQuery.ajax({ url: url, crossDomain: true, type: 'POST', dataType: 'html', data: data, xhrFields: { withCredentials: true }, success: function (html) { }, error: function (jqXHR, textStatus) { } }); Server responds with all the required CORS headers.
header("Access-Control-Allow-Origin: http://www.a.com"); header("Access-Control-Allow-Credentials: true"); header("Access-Control-Allow-Methods: POST,GET,OPTION"); header("Access-Control-Max-Age: 1000"); header("Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token"); The oddity is that in Chrome and Opera it works, but the evil FireFox doesn't even send a request and writes this to the console:
The request from an outside source is blocked: The policy of one source prohibits the reading of a remote resource at http://www.b.com . This can be corrected by moving the resource to the same domain or by turning on CORS.
The latest version of FireFox (37.0.1) is written everywhere that version 3.5+ supports CORS and therefore I don’t understand what is going on. I tried to monitor the network with the help of Fiddler - I really don't see the request from under FireFox (from under Chrome I see all the rules). Attempts to tinker with the settings of FireFox (such as installing the capability.policy.default.XMLHttpRequest.open = allAccess) do not give results. What do the right people do in such cases?
