I'm trying to implement a workaround for missing CORS functionality in Internet Explorer. For GET requests I use JSONP, no problem here. For small POST/DELETE/PUT requests I also use JSONP by tunneling the requests through GET but this does not work for larger requests (Because the length of the GET URL is limited). So for large data I try to implement a form POST via an iframe. I can't read the response from this POST because of the same-origin policy so I fetch the response via a JSONP GET request after posting the data. Works great but sometimes I get a strange warning in IE 9:
Internet Explorer has modified this page to help prevent cross-site scripting.
First I wondered what the hell IE is doing there because even when this warning appears everything still works correctly. Then I found out that IE replaces the content of the hidden iframe AFTER the POST answer (which I can't read and need anyway) with a "#" character.
So my workaround still works even when this warning appears but I would like to know what exactly triggers this warning so maybe I can modify my CORS workaround to get rid of this warning. Any hints?
You can configure the X-XSS-Protection header on your server. This will tell IE to disable XSS protection on your site.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With