BasicAuth enabled CORS requests on IE8/9

Question

So, this happened. Quick bullet point list of facts:

• I have a HAL backend that lives on a different subdomain but (thankfully for IE10 support) in the same domain as my web app.
• I need POST and GET requests made.
• I do not need support for IE7 or less.
• I NEED support for IE8 and up.
• The way the API is built, I need to both send custom headers and be able to access the response headers. One of them is the basicAuth headers, but there may be more (like Location response headers and whatnot).
• I am well aware of the limitations of the XDomainRequest object.
• I have full control of both the API and the web app servers, code and everything in between. Yet, we believe the API is well built and shouldn't change because of one browser's poor implementation, so we'd like to keep changes to it at a minimum.

So that's how things are going. So far, I've checked a few alternatives that do not work. Here's a list of them and why it wouldn't help in this case: - JSONP, it only allows GET requests. - easyXDM, it does not allow custom headers to be sent. - OpenAjax Hub, documentation seemed confusing and scarce, but it seems that it has no support for custom headers either.

So here's the question: is there any solution I am missing? My only hope right now is to build a custom swf and override jQuery's $.ajax function to be able to use it as a transport, but am unsure if it'll work. In theory, it should. In practice... well, that's another matter entirely. SO before delving in the depths of swf hell, I thought I might ask if anyone ever faced this problem before and have any form of advice?

Answer 1

You're missing an embedded iframe, whose src lives on the other domain, and using window.postMessage to go back and forth between the two windows, where the embedded iframe does all of the XHR for your subdomain, and then sends back a custom-wrapped response with all of the header/data you would typically see in CORS.

You'll then have your IE8/9 support.