未从Firefox的ajax调用上加载SSL客户端证书 [英] SSL client certificate not loaded on ajax call from Firefox
问题描述
我正在从HTTP页面执行CORS请求,该页面包括对另一个HTTPS服务器的JQuery ajax调用.该服务器向客户端请求SSL客户端证书,因此ajax查询需要提供它.
I'm doing a CORS request from an HTTP page which includes a JQuery ajax call to another HTTPS server. This server requests SSL client certificates to the clients, so the ajax query needs to provide it.
在Chrome 35中,所有功能均按预期工作,并且修改了一些安全选项,使其在IE11中也可以工作(尽管在Chrome中不尽人意).但是,对于Firefox 29,我无法使其正常运行.使用Wireshark捕获网络流量,我可以看到它在TLS握手期间提供了空证书,因此SSL验证失败.如果我禁用SSL验证,则一切正常,因此似乎在服务器中正确配置了CORS.
In Chrome 35 everything work as expected, and modifying some of the security options it also works in IE11 (although not as well as in Chrome). However, with Firefox 29 I'm unable to make it work. Using Wireshark to capture network traffic I can see that it provides and empty certificate during the TLS handshake, hence SSL validation fails. If I disable the SSL validation everything works, so CORS seems to be correctly configured in the server.
似乎Firefox禁止JavaScript访问客户端证书,但我在文档中找不到任何内容.关于我所缺少的东西有什么想法吗?
It seems as it firefox forbids JavaScript access to the client certificate, but I can't find anything on the documentation. Any ideas on what I'm missing?
推荐答案
默认情况下,Firefox似乎不发送带有跨域XHR请求的客户端证书.在XHR实例上设置withCredentials=true可以为我解决此问题.请注意,我也没有在Chrome(只有Firefox)上看到此问题.
Firefox appears to not send the client certificate with a cross-origin XHR request by default. Setting withCredentials=true on the XHR instance resolved the issue for me. Note that I also did not see this problem with Chrome--only Firefox.
有关更多信息,请参见此Mozilla Dev Network博客文章.特别是以下语句:
For more info see this Mozilla Dev Network blog post. In particular, the following statement:
默认情况下,在跨站点XMLHttpRequest调用中,浏览器将 不发送凭据.调用XMLHttpRequest对象时,必须设置一个特定的标志.
By default, in cross-site XMLHttpRequest invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest object when it is invoked.
这篇关于未从Firefox的ajax调用上加载SSL客户端证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
