I'm using angular-upload to handle file uploads in an application, served over HTTPS. Angular-upload is set up to "fall back to iframe upload when FormData isn't supported," but the combination of using iframe for uploading over HTTPS in IE9 is causing the following errors to appear in the console:
SEC7111: HTTPS security is compromised by res://ieframe.dll/forbidframing.htm
SEC7111: HTTPS security is compromised by res://ieframe.dll/ErrorPageTemplate.css
SEC7111: HTTPS security is compromised by res://ieframe.dll/errorPageStrings.js
SEC7111: HTTPS security is compromised by res://ieframe.dll/httpErrorPagesScripts.js
SEC7111: HTTPS security is compromised by res://ieframe.dll/red_x.png
SEC7111: HTTPS security is compromised by res://ieframe.dll/bullet.png
SEC7111: HTTPS security is compromised by res://ieframe.dll/background_gradient.jpg
I've tried adding add name="X-Frame-Options" value="SAMEORIGIN" to the custom headers in the web.config, as well as removing add name="Strict-Transport-Security" value="max-age=31536000", but neither of these approaches has changed the outcome.
Aside from refusing to support IE9 (not an option in this case), any other ideas how to make angular-upload play nicely with HTTPS/iframe in IE9?
UPDATE I was able to partially solve the problem by tagging the web api method with [AllowAnonymous]. The uploaded file is now accepted, but a related problem has arisen:
1) I can see on the "Network" monitor that there is a response coming back from the server, as intended
2) However, the monitor shows the request in a perpetually "Pending" status, so that response data never makes it back to the Angular controller, and therefore never updates the UI
3) The same list of errors shown above continue to show in the console
The error messages show that your subframe has an X-FRAME-OPTIONS header that prevents it from being framed. You need to fix that; use Fiddler to verify that the header is properly removed.
Also note that IE will treat application/json as a file download and won't render it inline.