Cross Origin Resource Sharing (CORS) Test, Version 1

Update August 2010: iPhone OS4 appears to have fixed this issue.

This test demonstrates an apparent bug in iPhone MobileSafari's handling of Cross Origin Resource Sharing when making POST requests with JavaScript's XMLHttpRequest. If you know the cause of the problem, or have a contact at Apple who can investigate, please contact Colin Moock at

The Test:
Enter a message below, then click "Send".

Your message:

When you click "Send", JavaScript will send your data to a PHP script on a foreign domain via an XMLHttpRequest object (view the source of this page to see the code). The request should succeed because the response includes the following HTTP header:

Access-Control-Allow-Origin: *

Correct Behaviour:
In Chrome, Safari, Firefox, Android's Browser, and even Apple's iPhone Simulator, the PHP script will return your message and your browser's HTTP request headers.

Actual iPhone Behaviour:
In iPhone's MobileSafari, no post data is sent to the server. The request's Content-Length header has the value 0. The PHP script, therefore, cannot echo your input back to you. However, when this same page is served from the same domain as the target of the XMLHttpRequest POST request, MobileSafari sends the post data correctly. See demo.

Here is a sample of a failed iPhone request:

You sent:

Your request headers: 

User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Content-Length: 0
Connection: keep-alive

Test Output: