Layer7 API Management

 View Only
  • 1.  IE blocking cors request for CA proxy

    Posted Aug 02, 2019 07:34 AM
    Hello, 

    I am facing an issue where my UI application tries to connect to CA proxy for business services.
    The application works fine on Chrome but not on IE versions.

    I had a discussion with the Microsoft support team and the support engineer confirmed below:
    The server is requesting a certificate which client failed to produce, hence the connection was aborted.
    Also, the application works fine if I enable Fiddler as as per him, the Fiddler overwrites some certificates.

    I am not very satisfied with this outcome as I have seen the application working without any issue in the past.

    Has anyone faced such issues before ?
    Please suggest.


  • 2.  RE: IE blocking cors request for CA proxy
    Best Answer

    Posted Aug 04, 2019 12:17 PM
    We've run into this as well.

    https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/1282036/ 

    Microsoft product team informed us this behavior is by design and they will not update or change anything.  We pointed out that client authentication was set to Optional on the HTTPS port, meaning the IE is free to simply ignore the request for a client certificate and complete the CORS preflight check.  This is the behavior of Firefox, Chrome, Safari, etc.  Unfortunately, this did not sway Microsoft.

    The best solution is to avoid using Microsoft web browsers.  If this isn't an option, alternatives would be to set client authentication to None on the HTTPS port, or to have IE customers use a secondary HTTPS port on the Gateway, or a load balancer or other web proxy fronting the Gateway, with client authentication set to None.


  • 3.  RE: IE blocking cors request for CA proxy

    Posted Aug 05, 2019 07:07 AM
    Thank you Matt Van Auwelaer.

    I will update on the suggested options.


  • 4.  RE: IE blocking cors request for CA proxy

    Posted Aug 05, 2019 02:24 AM
    Hi,
    We had also this issue on customers side. As I researched the behavior, I realized, that IE don't allow multivalued headers. The gateway sets multivalued headers by default for cors (which is standard imho). 
    So I set the CWP cors.useMultiValuedHeaders to false and this solved it, at least for us.

    ------------------------------
    Product Manager
    APIIDA AG
    ------------------------------



  • 5.  RE: IE blocking cors request for CA proxy

    Posted Aug 05, 2019 07:05 AM
    Thank you so much Waldemar Rosenfeld.
    Unfortunately, changing cors.useMultiValuedHeaders to false didn't work for me.


  • 6.  RE: IE blocking cors request for CA proxy

    Posted Aug 05, 2019 09:26 AM

    Hello,

    Just to complement Waldemar, you could check the request header "User-Agent" and if it contains IE use an assertion where the allow multivalued is false. In that way you are browser independent.




  • 7.  RE: IE blocking cors request for CA proxy

    Posted Aug 05, 2019 09:27 AM

    Hello,

    Just to complement Waldemar.

    You could check this value dynamically checking from the request the header, if the header "User-Agent" contains IE then you can disable the value if not you can use the standard response. In that way you do not need to be browser dependent.

    Regards,
    Albert.