fetch() fails in Firefox with SSL client authentication

Question

I have a web server which uses SSL client authentication. A web page on that server makes a same-origin GET request using the fetch() API.

In Chrome, the client cert is sent in the SSL handshake, as expected, resulting in a 200 "ok" response. In Firefox, the cert isn't sent, resulting in a 403 "forbidden" response.

In Firefox, if I switch it from using fetch() to XMLHttpRequest, it works. If I load the same URL directly from Firefox's URL bar, it works. The problem seems limited to fetch() on Firefox.

Has anyone seen this before? Is there any way to make fetch() play well with SSL client auth in Firefox, or do I need to switch to using XMLHttpRequest everywhere? Thanks.

greim · Accepted Answer · 2016-10-25T15:43:01.160

8

I just solved my own problem. This is what was failing:

fetch(someUrl)

This fixes the issue:

fetch(someUrl, { credentials: 'include' })

Apparently there's different behavior here between Chrome (v54) and Firefox (v45).

edited Oct 25 '16 at 15:43

answered Sep 09 '16 at 18:21

greim

9,149
6
34
35

Thanks, I recently switched to Firefox and couldn't understand why my site that uses client side cert authentication just wasn't working. This fixes it! – djhworld Sep 30 '17 at 19:10

fetch() fails in Firefox with SSL client authentication

1 Answers1

Linked