-1

Good day,

I'm trying to do a fetch in an web app to our Tax Authorities, but que XML request needs to be signed by a digital certificate, I've the certificate installed on my browser but cannot get a fetch requesting to choose the certificate, is there any way to do it?

           fetch (url, {
                mode: 'no-cors',
                method:'POST',
                credentials:'include',
                headers: new Headers({
                    'Content-Type': 'text/xml; charset=utf-8',
                    'Accept': '*/*',
                    'Content-Length': xml.length 
                }),
                body:xml
            }).then((res) => console.log(res))

thanks

I tried also with xmlHTTPRequeste but no result

Fran Ramirez
  • 11
  • 2
  • 1
    Does this answer your question? [how can I force fetch to accept a self-signed certificate in a web app front end?](https://stackoverflow.com/questions/67117016/how-can-i-force-fetch-to-accept-a-self-signed-certificate-in-a-web-app-front-end) – evolutionxbox Mar 23 '23 at 16:12
  • For signing from local private key in web application, you may like to have a look at https://stackoverflow.com/a/63173083/9659885 – Bharat Vasant Mar 25 '23 at 11:32

1 Answers1

-1

You've told fetch not to use CORS.

mode: 'no-cors',

CORS permission is required to send credentials across origins, so fetch will ignore credentials:'include'.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Good day Quentin, You are right, if I set mode:'cors' browser request my digital certificate, but now I'm receiving cross origin error: Access to fetch at 'https://prewww1.aeat.es/wlpl/ADRF-JDIT/ws/VREDEFV1SOAP' from origin 'https://sin3w.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. Any way to go across this error? – Fran Ramirez Mar 24 '23 at 09:38
  • `https://prewww1.aeat.es/wlpl/ADRF-JDIT/ws/VREDEFV1SOAP` needs to set an `Access-Control-Allow-Origin` header to give you web application permission to access it directly from the browser (or you need a work around involving server side code). https://stackoverflow.com/a/35553666/19068 – Quentin Mar 24 '23 at 09:40
  • Thanks a lot Quentin. I will try to contact our Tax Agency and check if they can authorize my website as known origin. – Fran Ramirez Mar 24 '23 at 10:01