How is Fiddler 'fixing' a CORS error in MS Edge?

There are a few possibilities; without exact details of your configuration, we're just shooting in the dark.

One possibility is that your computer is configured with an Intranet zone and that Intranet zone is dependent on a proxy configuration script: http://blogs.msdn.com/b/ieinternals/archive/2012/06/05/the-local-intranet-security-zone.aspx. When Fiddler is running, the proxy settings are pointed at Fiddler itself.

 

Brilliant, thanks Eric, that was it.

 I guess if I crank the Local intranet zone up to Medium-High to match the Internet zone then I can use Fiddler to help me work out what Edge is getting upset about.

Ah, right, there's another factor at work here if you're using an Intranet site as the target of an XHR from a site in the Internet zone.

Edge runs in Enhanced Protected Mode (AppContainer). That has a feature which blocks access to Private Network Resources from Internet-Zone processes. See the "Private Network resources" section of http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx for more details.

 

Thanks Eric, I'd forgotten that I had added Edge to the AppContainer Loopback Exemption Utility.

 My hosts file has two entries:

web.app.test 127.0.0.1
api.app.test 192.168.0.111

So the SPA is served from web.app.test which is making ajax calls to api.app.test (this is so I can share an authentication cookie across subdomains).

If I add web.app.test to the Local Intranet zone then Edge is happy, without the need to use Fiddler to get around the issue. It's all a bit horrible but as it shouldn't be a problem in production I've resolved not to worry about it.

Thanks again for all your help with this and for the brilliant and irreplaceable Fiddler. 

Thanks to this discussion, I could figure out whats going on in my Recat-windowsAuth-asp.net app running on localhost trying to access APIs hosted in intranet. Thanks for all the insight.