[Owasp-csrfguard] CSRFGuard IE8 compatibility

Paul Volpe - QV0CD-C paul.volpe at gsa.gov
Mon Jul 8 19:45:48 UTC 2013


Hi,

We tripped across something within IE8 just recently that causes me great
alarm.  It seems as though IE8 has changed their support of the
document.getElementsByName() function.  Documentation was found to this
affect by one of the developers on my team, but I have not yet corroborated
this. If Microsoft *is* radically changing support for DOM objects, this is
going to make the browser version problem worse instead of better -- and
more to the point, could be contributing to this particular problem you're
facing.

In terms of support, we had implemented a mixed-source implementation -- we
used the OWASP filter as-is, but instead of using the OWASP JS support, we
built our own JS functionality to facilitate getting the token onto ever
request.  Generally, I wouldn't recommend this as a solution, but if you
need to respond to this problem as a Production issue faster than the
community can come up with a fix for the cross-browser support, something
along those lines may be a viable band-aid approach.




On Mon, Jul 8, 2013 at 2:20 PM, Tom Barber <tom.a.barber at gmail.com> wrote:

> Hi,****
>
> ** **
>
> Upon finding a similar issue to that you detailed below previously I
> stumbled across this email you sent last year. Were you able to make
> progress on this? Our application has to support IE8 L****
>
> ** **
>
> My issue specifically is that in IE8 the tokens are not being attached to
> XMLHttpRequest headers, within the override of the XMLHttpRequest.
> prototype.onsend  within the js.****
>
> ** **
>
> Thanks****
>
>
> Tom****
>
> ** **
>
> ----------------------------------------------------****
>
> ** **
>
> Hi,****
>
> ** **
>
> At the outset, I want to congratulate OWASP for its efforts in getting a**
> **
>
> framework available for CSRF anti-tokens. This is really a plug-and-play**
> **
>
> kind of implementation.****
>
> ** **
>
> But then, I am facing an issue with the same while implementing the same**
> **
>
> for IE8 browser. I get an error related to****
>
> XMLHttpRequest.prototype.open****
>
> is not an object.****
>
> ** **
>
> Later I found that, IE8 doesnt have proper Event handling API. Please let*
> ***
>
> me know what is the way forward on this issue.****
>
> ** **
>
> ** **
>
> ** **
>
> Yours sincerely,****
>
> ** **
>
> Sridhar Vedhanabatla****
>
> ** **
>
> _______________________________________________
> Owasp-csrfguard mailing list
> Owasp-csrfguard at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-csrfguard
>
>


-- 
- Paul F. Volpe
*OCMS Team Lead*
paul.volpe at gsa.gov
703-605-2617 (w)
585-214-9862 (c)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130708/2c25f251/attachment-0001.html>


More information about the Owasp-csrfguard mailing list