Basically, we have a small .NET application working as a web server to save data locally and a website is storing/retriving data from that application. Since the website is hosted on the Internet and the .NET application is listening on localhost on a specific
port, we need to communicate using CORS requests.
From our understanding of the documentation, if we want to use CORS, we need to set the following security option to "Enable" (or "Prompt"):
"Internet Options" / "Security" tab / Internet (or affected zone) / "Custom level..." / "Miscellaneous" / "Access data sources across domains"
But, what I got is the opposite.
Disable: All features of the website are working
Prompt: All features of the website are working but we don't see any prompt (even for CORS requests)
Enable: CORS features doesn't work
So, if we put the website on our intranet and play with predefined security settings, all features works except if we set the settings to "Low" because it enable "Access data sources across domains". That make no sense.
Also, when the setting is disable or prompt and we look at the requests generated by Internet Explorer with Fiddler, we see a pre-flight requests (OPTIONS) including an ORIGIN tag header. But, if the setting is enable, no more pre-flight and no more ORIGIN.
I'm totally confused. I tested it on Windows 7 with Internet Explorer 10 and also on Windows 7 with Internet Explorer 11.
Is there something we don't understand with "Internet Options"?