I have a web server which uses SSL client authentication. A web page on that server makes a same-origin GET request using the fetch() API.

In Chrome, the client cert is sent in the SSL handshake, as expected, resulting in a 200 "ok" response. In Firefox, the cert isn't sent, resulting in a 403 "forbidden" response.

In Firefox, if I switch it from using fetch() to XMLHttpRequest, it works. If I load the same URL directly from Firefox's URL bar, it works. The problem seems limited to fetch() on Firefox.

Has anyone seen this before? Is there any way to make fetch() play well with SSL client auth in Firefox, or do I need to switch to using XMLHttpRequest everywhere? Thanks.

I just solved my own problem. This is what was failing:

fetch(someUrl)

This fixes the issue:

fetch(someUrl, { credentials: 'include' })

Apparently there's different behavior here between Chrome (v54) and Firefox (v45).