AJAX border calls are not removed from the domain with SSL pointing to localhost

Question

AJAX border calls are not removed from the domain with SSL pointing to localhost

We have a product that relies on a thin client installed on the user's computer. We make an ajax get request to a domain pointing to a local host that has real ssl. This does not work, it works in any other browser, including IE11. Please note that this works if there is no ssl. It also works on Windows 10 Home Edition.

Adding a data type, content type, or query does not allow this. The only way to fix this seems to be to execute the following command.

CheckNetIsolation LoopbackExempt -a -n = "Microsoft.MicrosoftEdge_8wekyb3d8bbwe"

If this is the expected behavior, can someone explain why microsoft blocks this on the corporate version, but it works on the home version?

+4

microsoft-edge ajax ssl

Pit digger Apr 29 '17 at 22:19

source share

1 answer

NotGaeL · Accepted Answer · 2017-05-06T16:22:49+0000

Microsoft Edge and Windows 10 applications generally use the IsContainer Isolation :

Isolating the application from network resources, in addition to those specially dedicated, AppContainer prevents the application from “shielding” the environment and malicious use of network resources. Granular access can be provided for Internet access, intranet access and server functions.

Your thin client runs on the win10 enterprise server against the intranetssl (localhost) service, so default access is limited by this mechanism. Using command

CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"

loopback (localhost) MS Edge, ( ) - localhost.

edge, , IE11.

. , MS:) Enhanced Protected Mode (EPM), IE. Chrome Google Chrome Sandbox, . Safari Firefox , .

, , ssl.

, ssl, , / . , , . , .

Windows 10 Home Edition. , - , microsoft , ?

, , (- db ). , / - ( ), "" .

, , ( , XSS ..). : , Self-XSS, . , , , :)

AJAX border calls are not removed from the domain with SSL pointing to localhost

More articles: