I've managed to make a CORS request on IE8 using XDomainRequest. However it seems the cookies are not sent on IE8. Is there any hack for that ? The request is made from buy.example.com to buy.api.example.com
There is no way except to include the authentication cookie value / token in the query string e.g. :
buy.api.example.com/?sessionId=$sessionId&otherparameters=testand set your webservice to check the query string if cookies are not present.