SSL client certificate not loaded on ajax call from Firefox

Question

I'm doing a CORS request from an HTTP page which includes a JQuery ajax call to another HTTPS server. This server requests SSL client certificates to the clients, so the ajax query needs to provide it.

In Chrome 35 everything work as expected, and modifying some of the security options it also works in IE11 (although not as well as in Chrome). However, with Firefox 29 I'm unable to make it work. Using Wireshark to capture network traffic I can see that it provides and empty certificate during the TLS handshake, hence SSL validation fails. If I disable the SSL validation everything works, so CORS seems to be correctly configured in the server.

It seems as it firefox forbids JavaScript access to the client certificate, but I can't find anything on the documentation. Any ideas on what I'm missing?

Answer 1

Firefox appears to not send the client certificate with a cross-origin XHR request by default. Setting withCredentials=true on the XHR instance resolved the issue for me. Note that I also did not see this problem with Chrome--only Firefox.

For more info see this Mozilla Dev Network blog post. In particular, the following statement:

By default, in cross-site XMLHttpRequest invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest object when it is invoked.