In Internet Explorer 10, the browser is incorrectly truncating HTTP POST requests and submitting unsolicited NTLM negotiate headers with a HTTP Content-Length of Zero Bytes. This results in HTTP POST parameters failing to be submitted to the
server.
Assume the following web application with a context root of:
https://w3.someapplication.net/webapplication/
Secure cookies for this site are established at the context root of this application.
To reproduce this issue, a secure session is established at a protection space deeper than the root context of the web app:
https://w3.someapplication.net/webapplication/secure/login
After establishing a secure session with the web application, some client side artifacts are retrieved from a web proxy at a higher protection space:
https://w3.someapplication.net/webapplication/somejs.js
Subsequent HTTP POST requests to a deeper protection space will result in IE incorrectly attempting to pass an unsolicited NTLM negotiate header to the server side, and the HTTP POST request will be truncated with a Zero Content-Length header:
https://w3.someapplicaiton.net/webapplication/submit/form
The result is that the HTTP POST parameters submitted to the last URL will be lost.
This is reproducible against IE6 and IE10. It does not reproduce against IE8, or any non-Microsoft browser which all behave in a sane manner.
My Questions:
Why is IE behaving this way?
What can I do to make IE behave properly? Please don't suggest that I change the entire structure of my company's website to overcome this kind of silly bug in IE.
Is there a planned fix to correct this behavior back to the proper implementation observed in IE8?
Assume the following web application with a context root of:
https://w3.someapplication.net/webapplication/
Secure cookies for this site are established at the context root of this application.
To reproduce this issue, a secure session is established at a protection space deeper than the root context of the web app:
https://w3.someapplication.net/webapplication/secure/login
After establishing a secure session with the web application, some client side artifacts are retrieved from a web proxy at a higher protection space:
https://w3.someapplication.net/webapplication/somejs.js
Subsequent HTTP POST requests to a deeper protection space will result in IE incorrectly attempting to pass an unsolicited NTLM negotiate header to the server side, and the HTTP POST request will be truncated with a Zero Content-Length header:
https://w3.someapplicaiton.net/webapplication/submit/form
The result is that the HTTP POST parameters submitted to the last URL will be lost.
This is reproducible against IE6 and IE10. It does not reproduce against IE8, or any non-Microsoft browser which all behave in a sane manner.
My Questions:
Why is IE behaving this way?
What can I do to make IE behave properly? Please don't suggest that I change the entire structure of my company's website to overcome this kind of silly bug in IE.
Is there a planned fix to correct this behavior back to the proper implementation observed in IE8?
Additional details about this problem are documented by an IE Internals blogger at the following url:
http://blogs.msdn.com/b/ieinternals/archive/2010/11/22/internet-explorer-post-bodies-are-zero-bytes-in-length-when-authentication-challenges-are-expected.aspx
Michael