I am making https calls in javascript via xmlhttprequest. I know the server and its public key in advance. For extra security, I would like to check the public key (or its fingerprint) if its is what I expect.
But I want to do that before I send any data over the network and if the fingerprints do not match, I do not want to send any data. Is that possible with xmlhttprequest? I found this page, but here the the fingerprint is only retrieved after a request has already been made.
I found this page, but here the the fingerprint is only retrieved after a request has already been made.
You need to do some kind of request to get information about the peer, because somehow it needs to collect these information. But of course you can do a dummy request (pre-flight) not containing any sensitive data.
But note that a normal application has no access to the fingerprint or certificate. The example you refer to can only be used inside a Firefox extension or from an XULRunner application which is clearly stated:
...This code requires elevated privileges to run; you can only call it from a browser extension or from a XULRunner application.
Outside of these elevated privileges, that is inside a normal web application, you can only trust that the browser does the right thing but you can use HPKP to make sure that the correct fingerprint of the certificate will be used, at least with browsers supporting HPKP.
