I'm wondering if an invalid or expired SSL certificate could cause some ajax posts via Firefox to fail (not all ajax posts, some are successful)? I'm trying to determine the cause of my ajax request via firefox to be aborted (and is not seen in other browsers). If I'm using Fiddler, the post does work too.
Yes, attempting to connect to an HTTPS site that has an invalid certificate (for whatever reason) with a XHR request will make this request fail. Unlike direct requests, it won't be able to display the usual certificate warning message to ask you whether you want to proceed.
Related
I'm currently trying to make an AJAX request in a crappy dev environment. My current app is on HTTP and is making an AJAX request to an HTTPS endpoint with a broken certificate. Is there any way I can get my IE11 to stop rejecting the request?
Found a solution for fixing the messed up SSL cert situation here: https://medium.com/#ali.dev/how-to-trust-any-self-signed-ssl-certificate-in-ie11-and-edge-fa7b416cac68
I have a site with two https servers. One (frontend) serves up a UI made of static pages. The other (backend) serves up a microservice. Both of them happen to be using the same (test) X509 certificate to identify themselves. Individually, I can connect to them both over https requiring the client certificate "tester".
We were hiding CORS issues until now by going through an nginx setup that makes the frontend and backend appear that they are same Origin. I have implemented the headers 'Access-Control-Allow-Origin', 'Access-Control-Allow-Credentials' for all requests; with methods, headers for preflight check requests (OPTIONS).
In Chrome, cross-site like this works just fine. I can see that front-end URLs and backend URLs are different sites. I see the OPTIONS requests being made before backend requests are made.
Even though Chrome doesn't seem to need it, I did find the xmlhttprequest object that will be used to perform the request and did a xhr.withCredentials = true on it, because that seems to be what fetch.js does under the hood when it gets "credentials":"include". I noticed that there is an xhr.setRequestHeader function available that I might need to use to make Firefox happy.
Firefox behaves identically for the UI calls. But for all backend calls, I get a 405. When it does this, there is no network connection being made to the server. The browser just decided that this is a 405 without executing any https request. Even though this is different behavior from Chrome, it kind of makes sense. Both the front-end UI and backend service need a client certificate to be chosen. I chose the certificate "tester" when I connected to the UI. When it goes to make a backend request, it could assume that the same client certificate should be used to reach the back-end. But maybe it assumes that it could be different, and there is something else I need to tell Firefox.
Is anybody here using CORS in combination with 2 way SSL certificates like this, and had this Firefox problem and fixed it somewhere. I suspect that it's not a server-side fix, but something that the client needs to do.
Edit: see the answer here: https://stackoverflow.com/a/74744206/537554
I haven't actually tested this using client certificates, but I seem to recall that Firefox will not send credentials if Access-Control-Allow-Origin is set to the * wildcard instead of an actual domain. See this page on MDN.
Also there's an issue with Firefox sending a CORS request to a server that expects the client certificate to be presented in the TLS handshake. Basically, Firefox will not send the certificate during the preflight, creating a chicken and the egg problem. See this bug on bugzilla.
When using CORS with credentials (basic auth, cookies, client certificate, etc.):
Access-Control-Allow-Credentials must be true
Access-Control-Allow-Origin must not be *
Access-Control-Allow-Origin must not be multi-value (neither duplicated nor comma-delimited)
Access-Control-Allow-Origin must be set to exactly the value from the request's Origin header in order for the request to work (either hard-coded that way or if it passes a whitelist of allowed values)
The preflight OPTIONS request must not require credentials (including the client certificate). Part of the purpose of the preflight is to ask what is allowed in a CORS request, and therefore sending credentials before knowing if they are allowed is incorrect.
The preflight OPTIONS request must return a 200-level response, generally 204
Note: For Access-Control-Allow-Origin, you may want to consider allowing the value null since redirect chains (like the ones typically used for OAuth) can cause that Origin value in a request from a browser.
SCRIPT7002: XMLHttpRequest: Network Error 0x2ee4, Could not complete the operation due to error 00002ee2.
In the developer tools Network Panel, I notice that the Result is stated as (Aborted). All other browsers work (chrome, firefox etc.)
00002ee2 is a timeout error code. If you run Fiddler, do you see the request actually hit the wire? If so, how long does it take for a response to be returned?
Is the request "interesting" in any way (e.g. to an Intranet site, or requiring NTLM authentication, or anything like that)?
I'm working on extensions for Firefox and Chrome. The data used by my extensions is mostly generated from ajax requests. The type of data being returned is private, so it needs to be secure. My server supports https and the ajax calls are being sent to an https domain. Information is being sent back and forth, and the extensions are working correctly.
My questions are:
Do the extensions actually make secure connections with the server, or is this considered the same as cross domain posting, sending a request from a http page to a https page?
Am I putting my users' information at more risk during the transfers than if the user were to access the information directly from an https web page in the browser?
Thanks in advance!
The browser absolutely makes a secure connection when you use HTTPS. Certainly, a browser would never downgrade the security of your connection without telling you: it will either complete the request as written or it throw some sort of error if it is not possible.
Extensions for both Chrome and Firefox are permitted to make cross-domain AJAX requests. In Chrome, you simply need to supply the protocol/name of the host as a permission in your manifest.json. In Firefox, I think you may need to use Components.classes to get a cross-domain requester, as described in the MDN page for Using XMLHttpRequest, but I'm not 100% sure about that. Just try doing a normal request and see if it succeeds; if not, use the Components.classes solution.
I have an embedded web server with a self-signed SSL certificate. After I get past the Web Browser's warning about the SSL Certificate being self signed, I am seeing a difference between IE8 and Firefox 3.5.5.
In IE8, if I try to download a PNG file, it will download every time.
In FireFox, it will give me an error every other time.
The error message is this:
Secure Connection Failed
An error occurred during a connection to 192.168.1.100.
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
*The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
*Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
What is causing this? Why does one browser work all the time and the other only works every other time?
It's hard to say without looking at the packets. If I had to hazard a guess, it would be that on the second request, Firefox is trying to resume the SSL session, and for some reason, the server doesn't like that. On the next request, Firefox doesn't try to resume, and it succeeds again. Maybe?