[Owasp-csrfguard] Issue with IE8

Rajesh Punjabi rajesh_punjabi at hotmail.com
Mon Aug 5 17:13:59 UTC 2013

I got into the same issue and here is what I wrote earlier on a thread.
It seems when the JavaScriptServlet injects tokens to all the elements in the DOM, it also attaches the token to <script src=''> and <link href=''>.In IE8 the browser loads all the css files and JS files twice.  This seems to screw up things.You could try to make the INJECT_ATTRIBUTES parameter as false.
Alternatively, if you think this may break some functionality you desire then in the injectTokenAttribute() method I added the following line. (more of a hack)if(location != null && isValidUrl(location) && !location.toLowerCase().endsWith(".css") && !location.toLowerCase().endsWith(".js") && !location.toLowerCase().endsWith("javascriptservlet")) {    var uri = parseUri(location);    .....................}
So basically for js, css files we shouldn't need to attach the CSRFTOKEN attribute.
From: Unmesh_Desale at symantec.com
To: owasp-csrfguard at lists.owasp.org
Date: Mon, 5 Aug 2013 05:41:03 -0700
Subject: [Owasp-csrfguard] Issue with IE8

Hi All, I have configured OWASP CSRFGuard for my project. It is working fine when I am browsing my site using Firefox Mozilla but same site doesn’t not work when I browse it through IE 8. This module is not able to inject CSRF token for IE8. Is this module works (supports) IE8 and higher versions? Is it cross-browser compatible? Please suggest me some solution. I am in urgent need of help.  Thanks,Unmesh Desale
________________________________ Office: +91 20 40754 4823  Mobile: +91 9657725432  
unmesh_desale at symantec.com
Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130805/48a1ca1d/attachment-0001.html>

More information about the Owasp-csrfguard mailing list