diff --git a/security/manager/ssl/EnterpriseRoots.cpp b/security/manager/ssl/EnterpriseRoots.cpp
index a1d0a22cc6e4..fe164b2184d8 100644
--- a/security/manager/ssl/EnterpriseRoots.cpp
+++ b/security/manager/ssl/EnterpriseRoots.cpp
@@ -92,9 +92,18 @@ static void CertIsTrustAnchorForTLSServerAuth(PCCERT_CONTEXT certificate,
   memset(&chainPara, 0, sizeof(CERT_CHAIN_PARA));
   chainPara.cbSize = sizeof(CERT_CHAIN_PARA);
   chainPara.RequestedUsage = certUsage;
-
+  // Disable anything that could result in network I/O.
+  DWORD flags = CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY |
+                CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL |
+                CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE |
+// mingw's version of wincrypt.h doesn't define this flag (bug 1592792).
+#  if defined(CERT_CHAIN_DISABLE_AIA)
+                CERT_CHAIN_DISABLE_AIA;
+#  else
+                0x00002000;
+#  endif
   if (!CertGetCertificateChain(nullptr, certificate, nullptr, nullptr,
-                               &chainPara, 0, nullptr, &pChainContext)) {
+                               &chainPara, flags, nullptr, &pChainContext)) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("CertGetCertificateChain failed"));
     return;
   }