CORS requests to domains with self-signed certificates are dropped

Issue #15738527 • Assigned to Steven K.

Details

Created
Feb 1, 2018
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
41.16299
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

Dear Edge-Team,

I’m currently having an issue with Edge dropping CORS requests to domains with self-signed certificates.

In our company, we are deploying self-signed certificates to our Windows (10) clients. Our staging domains are served with certificates (TLS) signed by our root-authority.
This means our staging-domain-certificate is trusted by our Windows clients.

But whenever a CORS request from our staging-website (regardless of XHR or fetch requests) is made to our staging-API, the request is dropped. (See attachments)

Example: (Staging site) https://foo.bar.domain.tld/path -> (Staging API) https://api.bar.domain.tld/path

If I run this in IE11, the request is sent as expected.

If I open the link to the staging API (https://api.bar.domain.tld/path) directly, I get a response as expected and without any certificate warnings.

I also added the HTML file I used to reproduce the problem.

If you need more input (details about the certificate), I’ll provide them to you.

Regards

Attachments

1 attachment

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Steven K.”

  • Hi,

    I want to make sure I understand the issue.  I understand the main issue that CORS is not working with self-signed certificates.  I would like to know where you believe the request is being dropped?  I looked at the attached screenshot, however, I was not certain under what condition the log was created.

    Do you know the server is not receiving the CORS request and that it is not leaving the client machine?

    Additional information on how you created the self-signed certificate could be useful.  I think we should verify some of the issues first.  I say this because it seems CORS configuration on the server is a more common problem.  Here is an example for IIS CORS configuration.

    https://docs.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configuration-reference

    Will you provide information on how your server is configured or a fiddler4 trace so we can see the request and responses?

    Steve

  • Hi,

    about the certificate:
    We created our root certificate with the “Microsoft Active Directory Certificate Services” (default settings).
    With this root certificate, we created an intermediate certificate to install on our Windows clients.
    With this intermediate certificate, we created certificates for our staging environment. All websites on our staging environment are served by nginx.

    There can’t be an issue with our CORS configuration, because other browsers (Firefox, Chrome, Safari) work just fine.

    I tried to recreate the issue in one of the official IE/Edge VMs (https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).

    In IE11, I got the following message on a CORS request (to a domain with the exact same certificate as the origin):

    Security Alert
    Revocation information for the security certificate for this site is not available. Do you want to proceed?
    (See attached screenshot)
    If I click "Yes", CORS requests work just fine.

    In Edge, the CORS request fails (without a pop-up like in IE11) and the console prints the following message: “XMLHttpRequest: Network Error 0x800c0019, Security certificate required to access this resource is invalid.”
    But if I open the requested URL directly in a tab, there is no certificate error at all.

    Due to our non-trivial setup, I can’t provide a working test-case for you. So this will be hard/impossible for you to debug.

    Nonetheless, do you have any idea what the issue here could be?

  • Edit: we install root and intermediate certs on our windows clients.

You need to sign in to your Microsoft account to add a comment.

Sign in