- Open Internet Explorer 11
- Access "google.com"
- Browser should redirect to "https://www.google.com"
- Load Developer Console
- Enter this line into the console
- new XMLHttpRequest().open("GET", "http://www.google.com", true)
- Console returns "Access is denied."
- Enter this line into the console
- new XMLHttpRequest().open("GET", "https://www.google.com", true)
- Console returns "undefined"
var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://localhost/', true); // This line will trigger an error xhr.send();
What I didn't notice (until much later, now) on the very same page was this
In addition to the trusted site requirement I found that the problem was not fixed until I used the same protocol for the request as my origin, e.g. my test site was hosted on a https but failed with any destination using http (without the s).
This only applies to IE, Chrome just politely logs a warning in the debug console and doesn't fail.
Which led me to finding this which mentioned
Requests must be targeted to the same scheme as the hosting page
This restriction means that if your AJAX page is at http://example.com, then your target URL must also begin with HTTP. Similarly, if your AJAX page is at https://example.com, then your target URL must also begin with HTTPS.
This was a pain in my butt for the past few weeks now. It didn't have anything to do with the hardened workstation, whitelisting of URLs, or firewall configuration. The "Acces is denied" could have been a little bit more helpful with clues. It wouldn't show up in development, until you start deploying your codes into staging or production environments that stuff like SSL starts getting in the way with this kind of issues.
I'd been swamped with working on something massive for the past half a year. It hasn't been easy at all with the long drawn marathon of development work that I've been involved in. But I still think that computers are easier to understand than humans.
