Internet Explorer 11 does not add the Origin header on a CORS request?
Internet Explorer's definition of the "same origin" differs to the other browsers. See the IE Exceptions section of the MDN documentation on the same-origin policy:
Internet Explorer has two major exceptions when it comes to same origin policy:
- Trust Zones: if both domains are in highly trusted zone e.g, corporate domains, then the same origin limitations are not applied
- Port: IE doesn't include port into Same Origin components, therefore http://company.com:81/index.html and http://company.com/index.html are considered from same origin and no restrictions are applied.
Therefore if your cross-origin request occurs across different ports, or within one of IE's trusted zones, IE will not treat the request as cross-origin and will see no need to add the Origin:
header.
I just happened to stumble across a reported bug over at a Microsoft associated site that clearly describes my issue. Microsoft staff quickly concluded that:
There is insufficient information to reproduce the behavior you are observing.
Since their first comment and their first attempt (?), they have actually managed to run two different web servers on different ports and reproduced the problem. Latest comment from Microsoft says that they "consider targetting a fix in the future".