GOT IT! This is very difficult to debug. Chrome on iOS8 works. My local Safari emulating the iOS8.1 user agent works locally, but not on the server. The iPad emulator that comes with XCode works on the server and locally.
For the preflight OPTIONS request, I am seeing Safari send: Access-Control-Request-Headers accept, authorization, origin Where other browsers send (no origin): Access-Control-Request-Headers accept, authorization So I added Origin: Header always set Access-Control-Allow-Headers "X-Accept-Charset,X-Accept,Content-Type,Authorization,Accept,Origin" But still not working. (there is a mention of this here: http://stackoverflow.com/questions/16824661/cors-request-not-working-in-safari but my angular app is on an S3 and the app servers are EC2s) Mac dev center - https://developer.apple.com/library/mac/documentation/AppleApplications/Conceptual/SafariJSProgTopics/Articles/XHR.html - lists two other headers, which safari *is* sending in the request: Access-Control-Request-Method Access-Control-Request-Headers I added them and now it is working!!! So now my apache .htaccess has this Header always set Access-Control-Allow-Headers "X-Accept-Charset,X-Accept,Content-Type,Authorization,Accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers" -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
