IE11 CORS preflight request is aborted when server requests client TLS certificate

Issue #1282036 • Assigned to Rajat J.

Details

Created
Jan 2, 2015
Privacy
This issue is public.
Reports
Reported by 21 people

Sign in to watch or report this issue.

Steps to reproduce

(Carled: Internal note: although this was filed from external connect - this issue is impacting one of our scenarios for developer submission of apps to the MS Store.   Chrome works, but IE fails, and this bug would prevent developers using IE from submitting AoW apps).

URL:

Repro Steps:

  1. Set up a REST web service which uses TLS client certificates for authentication
  2. Set up an HTML/JavaScript front-end for this web service, running on a different domain
  3. Install a valid client certificate for the web service into IE11
  4. Using IE11, attempt an action in the front-end which results in a GET request to the web service
    Expected and Actual Results: The GET request succeeds, using the client cert
  5. Using IE11, attempt an action in the front-end which results in a PUT request to the web service
    Expected Results: After a preflight request, the PUT is executed successfully
    Actual Results: The preflight request is aborted and the PUT never occurs

Expected Results:

The preflight request should be performed without sending the client certificate. The actual request should then be performed with the client certificate.

Actual Results:

Dev Channel specific:

No

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Tony S.”

      Changed Steps to Reproduce

      Changed Assigned To from “Tony S.” to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Krunal S.”

      Changed Status to “Confirmed”

      Changed Assigned To from “Krunal S.” to “IE F.”

      Changed Status from “Confirmed” to “Won’t fix”

      Changed Assigned To to “David W.”

      Changed Status from “Won’t fix”

      Changed Assigned To from “David W.” to “Venkat K.”

      Changed Assigned To from “Venkat K.” to “Brandon M.”

    • This occurs regardless of whether the browser has a client certificate available. If the remote site even requests a client certificate, IE aborts the preflight. A test case server demonstrating the issue is available at https://gist.github.com/liggitt/535f6529e7efaeb6faef38434f98c3aa

    • I experience the issue as well. Isn’t it possible to complete the preflight by discarding the user certificate request ?
      This makes all APIs using client certificate break in IE11…
      This bug is now 3 years old and has been marked as Wont Fix twice?

    • Experiencing the same issue. Preflight requests gets aborted by IE11.

    • What the situation with this issue? It affects any dev using fetch with react!

    • Microsoft Edge Team

      Changed Assigned To from “Brandon M.” to “Rajat J.”

    • This is definitely still happening. In every other browser, CORS + client certificates work fine. In IE11 and Edge, the following error is thrown in the console:

      SCRIPT7002: XMLHttpRequest: Network Error 0x4c7, The operation was canceled by the user.

    • I also am getting this error in IE11 and IE10. I am using fetch with React to make calls to a .Net Web Api server that uses Client Certificates for authentication.

      • SCRIPT7002: XMLHttpRequest: Network Error 0x4c7, The operation was canceled by the user.

      I have tested this on several different scenarios. I tested this in powershell doing an Invoke-WebRequest with no Certificate and it gave me.

      • 403 - Forbidden: Access is denied

      and then I added a Certificate it came back with

      • StatusCode: 200.

      Firefox and Chrome do not require a Cors Preflight.

      Is there any workaround for these API Calls to be made in IE11 or 10?

    • In our scenario, Firefox and Chrome do also require CORS preflight, but the related OPTIONS request completes successfully. In IE, the preflight request is cancelled the moment the request for a client certificate is identified.

    • I actually think I found a fix for it. I was just able to get a value back from the server.

      I added this in my webapiconfig.cs

      var cors = new EnableCorsAttribute("http://localhost:30033", "*", "*") { SupportsCredentials = true };

      and in my Web.Config I added

      in my Fetch I just added

      {
        method: "GET",
        headers: myHeaders,
        credentials: "include"
      };
      

      This works in IE11 and IE10!

    • Sorry this is my actual Cors code in the WebApiConfig.cs file.

      var cors = new EnableCorsAttribute("*", "*", "*"){ SupportsCredentials = true };
      config.EnableCors(cors);
    • Ah the Web.Config didn’t come over. Here it is.

    • Yes, I have resolved this too. Just to provide the solution in generic terms rather than .Net Web API:

      • The server must return the Access-Control-Allow-Credentials: true header.
      • On the client side, the withCredentials flag must be set on the XHR object.

    You need to sign in to your Microsoft account to add a comment.

    Sign in