IE11 CORS preflight request is aborted when server requests client TLS certificate

Issue #1282036 • Assigned to Brandon M.

Details

Created
Jan 2, 2015
Privacy
This issue is public.
Reports
Reported by 18 people

Sign in to watch or report this issue.

Steps to reproduce

(Carled: Internal note: although this was filed from external connect - this issue is impacting one of our scenarios for developer submission of apps to the MS Store.   Chrome works, but IE fails, and this bug would prevent developers using IE from submitting AoW apps).

URL:

Repro Steps:

  1. Set up a REST web service which uses TLS client certificates for authentication
  2. Set up an HTML/JavaScript front-end for this web service, running on a different domain
  3. Install a valid client certificate for the web service into IE11
  4. Using IE11, attempt an action in the front-end which results in a GET request to the web service
    Expected and Actual Results: The GET request succeeds, using the client cert
  5. Using IE11, attempt an action in the front-end which results in a PUT request to the web service
    Expected Results: After a preflight request, the PUT is executed successfully
    Actual Results: The preflight request is aborted and the PUT never occurs

Expected Results:

The preflight request should be performed without sending the client certificate. The actual request should then be performed with the client certificate.

Actual Results:

Dev Channel specific:

No

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Tony S.”

      Changed Steps to Reproduce

      Changed Assigned To from “Tony S.” to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Krunal S.”

      Changed Status to “Confirmed”

      Changed Assigned To from “Krunal S.” to “IE F.”

      Changed Status from “Confirmed” to “Won’t fix”

      Changed Assigned To to “David W.”

      Changed Status from “Won’t fix”

      Changed Assigned To from “David W.” to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Brandon M.”

    • This occurs regardless of whether the browser has a client certificate available. If the remote site even requests a client certificate, IE aborts the preflight. A test case server demonstrating the issue is available at https://gist.github.com/liggitt/535f6529e7efaeb6faef38434f98c3aa

    You need to sign in to your Microsoft account to add a comment.

    Sign in