Firefox 中使用 xhr、客户端证书的跨域 SSL 握手失败
设置如下:
- Firefox(3.x 和 4b)具有正确设置和工作证书,包括客户端证书。
- 对不同子域进行 XMLHttpRequest() 类型 AJAX 调用的网页。
- 所述子域中的自定义 Web 服务器接受请求,使用宽松的
Access-Control-Allow-Origin标头进行响应,并要求客户端验证。
问题是 Firefox 突然中止了请求(好吧,这就是 firebug 中所说的)。使用 openssl s_server 运行设置会提示 Firefox 实际上甚至不发送客户端证书:
140727260153512:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate:s3_srvr.c:2965:ACCEPT
同样的设置在 Chrome 上完美运行,这表明 Firefox 中可能存在错误。 但是,使用注入 DOM 的
那么,还有其他人遇到过这种情况吗?这是一个错误吗?有什么解决方法吗?有什么明显的缺失吗?
The setup is as follows:
- Firefox (both 3.x and 4b) with properly set up and working certificates, including a client certificate.
- Web page with an XMLHttpRequest() type of AJAX call to a different subdomain.
- Custom web server in said subdomain accepting requests, reponding with a permissive
Access-Control-Allow-Originheader and requiring client verification.
The problem is that Firefox aborts the request (well, that's what it says in firebug anyway) abruptly. Running the setup with openssl s_server instead hints that Firefox actually doesn't even send the client certificate:
140727260153512:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate:s3_srvr.c:2965:ACCEPT
The same exact setup works perfectly with Chrome, suggesting perhaps a bug in Firefox. However, performing the ajax call with a <script> element injected into the DOM seems to work as intended...
So, has anyone else run into this? Is it a bug? Any workarounds? Is there something obvious missing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
5 年后的提示可能对 OP 没有太大帮助,但万一其他人将来遇到此问题......
Firefox 似乎不发送客户端默认情况下带有跨域 XHR 请求的证书。在 XHR 实例上设置
withCredentials=true解决了我的问题。请注意,我在 Chrome 上也没有看到这个问题,只有 Firefox 才出现这个问题。有关详细信息,请参阅这篇 Mozilla 开发网络博文。特别是以下声明:
Chiming in 5 years later probably isn't much help to the OP, but in case someone else has this issue in the future...
Firefox appears to not send the client certificate with a cross-origin XHR request by default. Setting
withCredentials=trueon the XHR instance resolved the issue for me. Note that I also did not see this problem with Chrome--only Firefox.For more info see this Mozilla Dev Network blog post. In particular, the following statement:
注入脚本相对于简单的 XHR 请求有效的原因是由于单源策略。这或许可以解释为什么 Chrome 允许 XHR 而不允许 FF; Chrome认为子域名部分同源,但FF不认为。
允许从其他域注入脚本(这就是 Google Analytics 所做的),也是处理这种情况的做法之一。
我的团队处理这种情况的方法是通过服务器端代理发出请求。
如果可以的话,我建议使用服务器端代理,但只要代码来自受信任的来源,脚本注入方法就可以正常工作。
我还发现 这篇文章描述了您的情况。
The reason injecting the script works as opposed to a simple XHR request is because of the Single Origin Policy. This would probably explain why Chrome allows the XHR but not FF; Chrome considers the subdomain part of the same origin, but FF does not.
Injecting scripts from other domains (which is what Google Analytics does) is allowed and one of the practices to handle this situation.
The way my team handles this situation is by making a request through a server-side proxy.
I would recommend using a server-side proxy if you can, but the script injection method works fine as long as the code is coming from a trusted source.
I also found this article which describes your situation.