I've noticed that certain browsers do not seem to support withCredentials in CORS requests, at least under some conditions. Specifically, in IE 10, attempting to set xhr.withCredentials = true results in:

SCRIPT5022: InvalidStateError

and in Safari 5 (but not 6) I get

INVALID_STATE_ERR: DOM Exception 11: An attempt was made to use an object that is not, or is no longer, usable.

again, in response to the same statement.

Are these known problems, or am I setting up my XHR wrong somehow? Is there a list of which browsers support withCredentials?

I've noticed that certain browsers do not seem to support withCredentials in CORS requests, at least under some conditions. Specifically, in IE 10, attempting to set xhr.withCredentials = true results in:

SCRIPT5022: InvalidStateError

and in Safari 5 (but not 6) I get

INVALID_STATE_ERR: DOM Exception 11: An attempt was made to use an object that is not, or is no longer, usable.

again, in response to the same statement.

Are these known problems, or am I setting up my XHR wrong somehow? Is there a list of which browsers support withCredentials?

• javascript
• xmlhttprequest
• cors

Share Improve this question Follow asked Oct 29, 2013 at 18:54 DanDan 11.1k77 gold badges5353 silver badges8282 bronze badges 3

• caniuse./#search=cors – Diodeus - James MacFarlane Commented Oct 29, 2013 at 18:56
• Are you setting withCredentials after open but before send? – apsillers Commented Oct 29, 2013 at 18:59
• Acording to the withCredentials spec: "When set: throws an InvalidStateError exception if the state is not UNSENT or OPENED, or if the send() flag is set." This suggests that it must bet before calling send(). Some browsers might be erroneously more strict than this specification rule, however. Can you post your actual code? – apsillers Commented Oct 29, 2013 at 19:08

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 14

The August 16, 2011 XHR draft specifies a rule for setting withCredentials:

When set: throws an INVALID_STATE_ERR exception if the state is not OPENED or if the send() flag is true.

However, the January 17, 2012 draft is more permissive:

When set: throws an InvalidStateError exception if the state is not UNSENT or OPENED, or if the send() flag is set.

You are probably setting withCredentials before calling .open, which is disallowed by the 2011 spec but allowed by the 2012 spec. To ply with both, simply move your property assignment after your call to .open.