Mad, Beautiful Ideas
New Windows Update Breaks ServerXMLHttpRequest

At work, we're a 100% Windows Shop, and the vast majority of our code so far is written in classic ASP, which means the web service calls we do all depend on the [Microsoft XML Core Services library. It's a great library, and has served us well, but we have, more than once, been bitten by the Windows Update bug.

When we upgraded to Windows Server 2008, we found we needed to start explicitly using MSXML 6.0 (at least for one of our applications). That took a short while to debug, but what we're doing is simple enough that it was no big problem. However, a Windows Update our sys-admin installed last week evidently created a problem with setting some headers that we simply hadn't had before.

Our use case is simple. A user logs into our site, we get their SSN from one web-service, and issue a call to the National Student Clearinghouse, which returns a HTML page which should redirect the user to the NSC in a logged in status, which will allow them to perform some self-service stuff through the NSC that saves our office some work. The code, is therefore, pretty straightforward.

        Dim xmlhttp
        Set xmlhttp = CreateObject("MSXML2.ServerXMLHTTP.6.0")
        xmlhttp.Open "POST", "", False
        xmlhttp.SetRequestHeader "Referer", ""
        xmlhttp.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
        xmlhttp.Send postData

Okay, so the URLs are obviously wrong, but the Referer header is very important, it's how the Clearinghouse identifies which university the requests are coming from, and the postData includes several more authentication factors, as well as the users SSN so that the NSC can properly identify whom we are sending to them. Their response is a HTML document we write out to our visitor that includes a JavaScript redirect sending them to the Clearinghouse's own servers.

However, since we installed (I believe) KB954459, it no longer works. For some reason, it refuses to attach the "Referer" header, I tested this by modifying the above script to call a script on my local server which merely sends me an e-mail with the Raw headers using the

contents. The return value:

        Connection: Keep-Alive
        Content-Length: 45
        Content-Type: application/x-www-form-urlencoded
        Accept: */*
        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Notable absent is the Referer header. I'm not sure why this is, nor have I found a workaround just yet. I am contacting the Microsoft XML Team over this, as we'd like to have the security update installed, but we really do need this application to be working. If anyone has any ideas...I'm all ears.