I'm using plupload to upload files to an ASP.NET WebAPI service. It works fine in Chrome, and it works fine in IE8/IE9 on my development machine. When I connect to the website on the actual server, however, uploading a file causes plupload's error handler to fire with an error code of -400 and an error message of "Security Error."
Looking at the response and request headers everything looks ok. The response even contains the correct return value! I'm guessing this has something to do with using https, but I'm not sure and it does work correctly in Chrome. (Firefox has a completely different issue, but seems to at least get the data back unlike IE.)
I'm wondering it has something to do with the request Accept header, which is:
Accept application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
The response header's Content-Type is text/html because application/json causes IE to want to save the response rather than pass it back to the script.
So what is this "Security Error" and why am I getting it? More importantly why am I getting it even though the response seems to be coming back correctly? Even more importantly, how do I fix it?
EDIT: OK, so more information. Apparently IE9 uses the html4 runtime for plupload, which uses an iframe to handle the file upload. When the data returns and it tries to access the HTMLIFrameElement IE9 gives an "Access is denied" error. I understand it's to help prevent xss errors, BUT it seems like reading from an iframe should be safe...
So anyone know a way around it?