[Owasp-csrfguard] Issue with IE8

Unmesh Desale Unmesh_Desale at symantec.com
Tue Aug 6 03:41:01 UTC 2013

Thanks so much Rajesh....

I will try this at my end and will get back to you.

Unmesh Desale

Office: +91 20 40754 4823  Mobile: +91 9657725432
unmesh_desale at symantec.com

From: Rajesh Punjabi [mailto:rajesh_punjabi at hotmail.com]
Sent: Monday, August 05, 2013 10:44 PM
To: Unmesh Desale; owasp-csrfguard at lists.owasp.org
Subject: RE: [Owasp-csrfguard] Issue with IE8

I got into the same issue and here is what I wrote earlier on a thread.

It seems when the JavaScriptServlet injects tokens to all the elements in the DOM, it also attaches the token to <script src=''> and <link href=''>.
In IE8 the browser loads all the css files and JS files twice.  This seems to screw up things.
You could try to make the INJECT_ATTRIBUTES parameter as false.

Alternatively, if you think this may break some functionality you desire then in the injectTokenAttribute() method I added the following line. (more of a hack)
if(location != null && isValidUrl(location) && !location.toLowerCase().endsWith(".css") && !location.toLowerCase().endsWith(".js") && !location.toLowerCase().endsWith("javascriptservlet")) {
    var uri = parseUri(location);

So basically for js, css files we shouldn't need to attach the CSRFTOKEN attribute.



From: Unmesh_Desale at symantec.com
To: owasp-csrfguard at lists.owasp.org
Date: Mon, 5 Aug 2013 05:41:03 -0700
Subject: [Owasp-csrfguard] Issue with IE8
Hi All,

I have configured OWASP CSRFGuard for my project. It is working fine when I am browsing my site using Firefox Mozilla but same site doesn't not work when I browse it through IE 8. This module is not able to inject CSRF token for IE8.

Is this module works (supports) IE8 and higher versions? Is it cross-browser compatible?

Please suggest me some solution. I am in urgent need of help.

Unmesh Desale

Office: +91 20 40754 4823  Mobile: +91 9657725432
unmesh_desale at symantec.com

_______________________________________________ Owasp-csrfguard mailing list Owasp-csrfguard at lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130805/0190a9d1/attachment.html>

More information about the Owasp-csrfguard mailing list