Cefsharp: Self-signed cert leads to some AJAX requests being cancelled

Created on 2 Jul 2015  路  29Comments  路  Source: cefsharp/CefSharp

CefSharp 41 (WPF), Windows 7, x64.

I'm pointing CefSharp towards a https url, which provides a self-signed certificate. I've implemented IRequestHander, and am returning true from its OnCertificateError method. The page loads fine, but attempts to make a few ajax requests per second. If I look at those requests using Chrome Developer Tools, I see that about half of them are being cancelled.

If I point it towards the http version of that url, everything works fine.

If I don't implement IRequestHander, or I return false from OnCertificateError, then every request is cancelled.

This was not an issue in CefSharp 37, but does appear to be an issue in 39.

Thanks!

upstream

Most helpful comment

CefSettings.IgnoreCertificateErrors is the other option. Had forgotten all about that! lol

https://github.com/cefsharp/CefSharp/blob/master/CefSharp.Core/CefSettings.h#L76

So that resolved the problem in your app?

All 29 comments

If I look at those requests using Chrome Developer Tools, I see that about half of them are being cancelled.

Consistently the same Urls?

Sounds like they tightened up some security restriction. Do you have a sample of the html?

A given url can be cancelled or not. Who's "they" in this context? CEF?

I don't have a minimal sample to hand, but I'll put one together.

A given url can be cancelled or not. Who's "they" in this context? CEF?

You said half of them are being cancelled, is it consistent which ones are being cancelled?

Out of curiosity have you tried disabling WebSecurity or using Cef.AddCrossOriginWhitelistEntry? Be curious to see if there is security related.

https://github.com/cefsharp/CefSharp/blob/cefsharp/41/CefSharp.Core/BrowserSettings.h#L217
https://github.com/cefsharp/CefSharp/blob/cefsharp/41/CefSharp.Core/Cef.h#L230

You said half of them are being cancelled, is it consistent which ones are being cancelled?

Roughly half of the requests are being cancelled. There's no pattern (that I can see) between which requests are cancelled and what url the request is made to. It appears to be random as to whether or not any given request is cancelled.

I haven't tried those: I'll have a shot over lunch.

Roughly half of the requests are being cancelled. There's no pattern (that I can see) between which requests are cancelled and what url the request is made to. It appears to be random as to whether or not any given request is cancelled.

Strange indeed. Does it give a generic status code in dev tools?

Screenshot:

cefsharp

Probably important: I've just noticed that OnCertificateError isn't being called for _any_ ajax requests (although it is called for the initial page load). EDIT - actually the behaviour here is the same as for CefSharp 37, so probably not important after all :stuck_out_tongue_closed_eyes:

Setting WebSecurityDisabled = true makes no difference.

What parameters should I pass to AddCrossOriginWhitelistEntry? I tried Cef.AddCrossOriginWhitelistEntry("https://localhost", "https", "https://localhost", false); but that made no difference.

The cancelled requests don't hit OnBeforeResourceLoad either

Setting WebSecurityDisabled = true makes no difference.

If setting WebSecurityDisabled = true didn't work then adding a cross origin exclusion is unlikely to.

I don't have a lot of doco on AddCrossOriginWhitelistEntry, there's https://github.com/cefsharp/CefSharp/issues/845#issuecomment-76207502

You might need to include the port in your case. Regardless, disabling security should have overwrite all security restrictions. So basically rules that theory out.

Is it easy enough to load the page in another browser or is tightly coupled to your app? Wondering if it's worth trying to load in the cefclient example app.

It's syncthing, with https enabled.

I'm trying to run it up in the cefclient example app, but it's bailing out with ERR_CERT_AUTHORITY_INVALID. Do you know how to allow invalid certs in cefclient?

You can try the --ignore-certificate-errors command line flag.

Thanks. That seems to all be working fine.

CefSettings.IgnoreCertificateErrors is the other option. Had forgotten all about that! lol

https://github.com/cefsharp/CefSharp/blob/master/CefSharp.Core/CefSettings.h#L76

So that resolved the problem in your app?

That solves it, thanks!

So in summary there's a confirmed issue in CefSharp 41 where OnBeforeResourceLoad / OnCertificateError don't always get called when making ajax requests on a resource with a self-signed cert, but setting IgnoreCertificateErrors is a workaround.

That solves it, thanks!

Great :+1:

Probably should confirm against the CEF 2357 branch and master, if the problem still exists then probably worth creating an issue.

Doesn't the fact that everything worked fine with cefclient indicate that this is a CefSharp issue?

Doesn't the fact that everything worked fine with cefclient indicate that this is a CefSharp issue?

Didn't you have to use --ignore-certificate-errors to get cefclient working?

There is very little control that CefSharp has over anything SSL. It's possible we're missing a small piece of implementation detail.

Ah, I see what you mean. My problem was that I couldn't load the page which contained the javascript which made the ajax requests with cefclient, unless I passed --ignore-certificate-errors. So actually my test was entirely useless...

So actually my test was entirely useless...

It got you to a viable workaround, so not useless :smile:

True!

I'll see if I can put together a sample using cefclient which actually attempts to demonstrate the issue (or not) later in the week: I'm afraid my lunch break is over for today...

https://bitbucket.org/chromiumembedded/cef/issues/1590/problem-with-ssl-certificate-verification

Looks like an upstream bug has been fixed which sounds very similar to this. Will need to test again once there's a 2357 build available.

Aha, nice spot, thanks!

master has been updated with the latest 2357 build.

Amazing, thank you! I'll test when I've got some spare minutes.

@canton7 Any luck testing this out?

Sorry, slipped off my radar. I'll test next week when I'm back from holiday.

I got caught out slightly as you now need to call callback.Continue(true), but it looks like that's working fine! 43.0.0-pre1 from your MyGet feed.

but it looks like that's working fine!

Excellent :smile:

43.0.0-pre1 from your MyGet feed.

The -pre release is also up on .nuget.org.

Was this page helpful?
0 / 5 - 0 ratings