New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 96007 link

Starred by 57 users

Issue metadata

Status: WontFix
Last visit > 30 days ago
Closed: Oct 2015
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Sign in to add a comment

CORS preflight AJAX request on page with self-signed certificate

Reported by, Sep 9 2011

Issue description

Chrome Version       : Google Chrome	13.0.782.220 (Oficiální sestavení 99552)
Operační systém:	Windows
WebKit	535.1 (branches/chromium/782@93192)
JavaScript	V8
URLs (if applicable) :
Other browsers tested: Firefox, Safari, IE, Opera
Add OK or FAIL after other browsers where you have tested this issue:
     Safari 5: OK
  Firefox 4.x: OK
       IE 7/8/9: FAIL

What steps will reproduce the problem?
1. Navigate to HTTPS page and accept self signed certificate.
2. Navigate to HTTP page which want to send AJAX request to same page over HTTPS.
3. Try it again if AJAX will use custom headers. Now preflight request shall be made.

What is the expected result? Successful AJAX preflight request

What happens instead? Request isn't sent. In developer tools, there isn't any sign for this request. It looks like it is denied before send. But it shouldn't be denied, because certificate was accepted.

Please provide any additional information below. Attach a screenshot if


Comment 1 by, Sep 12 2011

Labels: -Area-Undefined Area-Internals Internals-Network-SSL
Issue still persists in Google Chrome version 24 (Linux and Windows).
Labels: -Internals-Network-SSL Internals-Network-HTTP WebKit-Loader
Marking this as HTTP/Loader, since that's where SSL cert overrides are handled.
Project Member

Comment 4 by, Mar 10 2013

Labels: -Area-Internals -Internals-Network-HTTP -WebKit-Loader Cr-Internals-Network-HTTP Cr-Internals Cr-Content-Loader
Project Member

Comment 5 by, Apr 6 2013

Labels: Cr-Blink
Project Member

Comment 6 by, Apr 6 2013

Labels: -Cr-Content-Loader Cr-Blink-Loader
Workaround for local development: Add you server certificate to the Trusted Root Certificates on you local machine.
Same issue on desktop chrome Version 30.0.1599.69
No issue on mobile chrome Version 30.0.1599.16

Comment 9 by Deleted ...@, Nov 17 2013

Facing the same issue with Android chrome version v30.0.1599.92

Comment 10 by, Nov 25 2013

Issue persists in Chrome 31.0.1650.57.
Most likely a dupe of  Issue 324096  (at least in root cause re: tab/WebContents associativity)

Comment 12 by Deleted ...@, Dec 18 2013

Looks like it's still happening in 31.0.1650.63 m
Labels: M-34
Status: Assigned
I am punting this over to japhet though, who is working on 324096 and for which this is likely a duplicate. 

Comment 15 by Deleted ...@, Feb 4 2014

Still facing the issue in - Version 32.0.1700.102 m. The ajax post call is working with HTTP but not with HTTPS with self signed certificate. The request status is cancelled.The developer tool shows a warning as "CAUTION:Provisional headers are shown".

Comment 16 by Deleted ...@, Feb 4 2014

Same issue although for both http and https.  
Made a request with Chromium 31.0.1650.48 (240209) - bug is still there.
...and it's not just concerns self signed certificates. Every custom header value returns an error.
More info here on StackOverflow:

Comment 19 by, Mar 3 2014

Labels: -M-34 MovedFrom-34 M-35
Moving all non essential bugs to the next Milestone.

Comment 20 by, Apr 7 2014

Labels: -M-35 MovedFrom-35
This issue has already been moved once and is lower than Priority 1,therefore removing mstone.
So, bug, that does not allow to test **any** type of https with PUT in non-production environment is "lower than Priority 1"?
Cool stuff.

Comment 22 by Deleted ...@, Apr 8 2014

Would love to see this resolved.  We've written APIs for our mobile/tablet apps using all the correct RESTful http verbs (including PUT and DELETE) and would love to use the same apis to serve our desktop website.  This bug is holding us back and forcing us to adopt hacky solutions.  QA team is really not a fan of having to do things in test environments that real users wouldn't have to do.  Decreases the level of confidence that things will work when released significantly.

All that to say, please fix!  :)

Comment 23 by Deleted ...@, Apr 9 2014

Agreed. This has been around for along time and I'm forced to use chrome with no security settings in order to overcome this issue. Please fix. Thanks!
The theory is that this was fixed for Chrome 34, which was just pushed out to the stable channel. Please double-check that you are running Chrome 34 or higher, and if you still see this, we'll keep hunting.
There haven't been any additional complaints in the last 2 weeks. Has this still been happening for folks since Chrome 34 was launched?

Comment 26 by Deleted ...@, May 8 2014

I still get this in chrome 34 with a self signed star certificate.  https:// url includes basic auth ie. 

The error is net::ERR_INSECURE_RESPONSE for a preflight OPTIONS request. It works fine with plain http:// in chrome, and safari _with_ ssl. 
If this is still happening, it's probably not a blink issue anymore. rsleevi, would you mind taking a look again?
 Issue 171817  has been merged into this issue.
Still happening in Chrome 38 with self signed certificate, preflight OPTIONS fails without any error message, while server reports:

NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'https://localhost:57112/ping/'.

I'm getting this in Version 39.0.2171.99 m. really is annoying.  Seems a bit sporadic too.
Labels: -Cr-Internals-Network-HTTP -Cr-Internals -Cr-Blink Cr-Internals-Network-SSL Cr-Blink-SecurityFeature

Comment 32 by Deleted ...@, Jan 28 2015

Seeing what I think is this same issue on Version 39.0.2171.99 (64-bit) Linux.

https with self signed certificate.

Ajax calls work for a while then start getting this message:
Please folks fix it. I have self signed certificate and try to do cross origin request where i add a header, my chrome version 41 is not able to read that header,
I am already sending all CORS headers from server still same issue.

818 bytes View Download

Comment 34 Deleted

Have been running Canary build on mac for a while and was able to do CORS with self-signed certs after accepting in a different tab pointing directly to the other domain. Then I messed around with the keychain, trying to install the certificate so I didn't need to accept it every time I restart. Somehow that caused it to start happening, but only on one domain. And only on Chrome Canary, the release version is fine. Thought reinstalling and deleting profile info should fix it but still having trouble. 
Labels: Hotlist-Recharge
This issue likely requires triage.  The current issue owner may be inactive (i.e. hasn't fixed an issue in the last 30 days or commented in this particular issue in the last 90 days).  Thanks for helping out!

Labels: -Hotlist-Recharge
Tossing to jww@, but you might just want to close it and ask for people to file new bugs if it's still a problem since a lot's changed in this area.

Comment 38 by, Oct 5 2015

Status: WontFix
That's exactly what I'm going to do :-) As davidben@ says, a lot has changed here, so if you're still experiencing similar issues, please feel free to file new bugs.

Sign in to add a comment