IE11 CORS rechaza las OPCIONES en https

Question

Jan 19, 2016, 05:31 PM

cors angularjs java internet-explorer-11 jersey

IE11 CORS rechaza las OPCIONES en https

IE11 por alguna razón rechaza una solicitud PUT pero solo cuando uso https. Me resulta muy difícil encontrar el problema, ya que el uso de http, localhost y otros navegadores funciona bien.

La consola muestra dos errores.

SEC7124: Request method PUT was not present in the Access-Control-Allow-Methods list.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

La solicitud de OPCIÓN enviada desde el navegador es

Accept: */*
Accept-Encoding: gzip, deflate
Access-Control-Request-Headers: accept, content-type, session-id
Access-Control-Request-Method: PUT   
Cache-Control: no-cache 
Connection: Keep-Alive  
Content-Length: 0  
Host: api.domain.com  
Origin: https://portal.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

y la respuesta del servidor es la siguiente:

X-Powered-By: Servlet/2.5
Server: server
Content-Encoding: gzip
Access-Control-Expose-Headers: Session-Id
Access-Control-Allow-Origin: *
Access-Control-Max-Age: -1
Allow: OPTIONS,GET,HEAD,PUT
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, DELETE
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, Content-Type, session-id, authorization, portal-url
Content-Type: application/vnd.sun.wadl+xml
Content-Length: 352
Date: Tue, 19 Jan 2016 15:33:38 GMT

AngularJS se usa en el lado del cliente estándar $ http PUT se usa. Java con jersey se usa en el lado del servidor y el filtro de solicitud para manejar CORS es el siguiente:

 public ContainerResponse filter( final ContainerRequest request, final ContainerResponse response )
{
    if ( request.getHeaderValue( "Origin" ) != null ) 
    {
        final MultivaluedMap<String, Object> headers = response.getHttpHeaders();
        headers.add( "Access-Control-Allow-Origin", "*" );
        headers.add( "Access-Control-Expose-Headers", "Session-Id" );
        headers.add( "Access-Control-Allow-Credentials", Boolean.TRUE.toString() );
    }

    if ( "OPTIONS".equals( request.getMethod() ) ) 
    {
        final MultivaluedMap<String, Object> headers = response.getHttpHeaders();
        for ( String method : ["OPTIONS", "GET", "POST", "PUT", "DELETE"] ) 
        {
            headers.add( "Access-Control-Allow-Methods", method );
        }
        headers.add( "Access-Control-Allow-Headers",
                "accept, origin, Content-Type, session-id, authorization, portal-url, " 
                + "If-Modified-Since, Cache-Control, Pragma" );
        headers.add( "Access-Control-Max-Age", "-1" );            
    }

    return response;
}

Tal vez puedas ver qué puede estar mal con eso.

Gracias