[Owasp-csrfguard] CSRFGuard IE8 compatibility

Rajesh Punjabi rajesh_punjabi at hotmail.com
Tue Jul 9 00:15:48 UTC 2013

I made some progress which seems to be work.  (I still need to do some more regression testing)
It seems when the JavaScriptServlet injects tokens to all the elements in the DOM, it also attaches the token to <script src=''> and <link href=''>.In IE8 the browser loads all the css files and JS files twice.  This seems to screw up things.You could try to make the INJECT_ATTRIBUTES parameter as false.
Alternatively, if you think this may break some functionality you desire then in the injectTokenAttribute() method I added the following line. (more of a hack)if(location != null && isValidUrl(location) && !location.toLowerCase().endsWith(".css") && !location.toLowerCase().endsWith(".js") && !location.toLowerCase().endsWith("javascriptservlet")) {    var uri = parseUri(location);    .....................}
So basically for js, css files we shouldn't need to attach the CSRFTOKEN attribute.
Feedback welcome.

Date: Mon, 8 Jul 2013 15:45:48 -0400
From: paul.volpe at gsa.gov
To: tom.a.barber at gmail.com
CC: owasp-csrfguard at lists.owasp.org; sridharvedhana at gmail.com
Subject: Re: [Owasp-csrfguard] CSRFGuard IE8 compatibility

We tripped across something within IE8 just recently that causes me great alarm.  It seems as though IE8 has changed their support of the document.getElementsByName() function.  Documentation was found to this affect by one of the developers on my team, but I have not yet corroborated this. If Microsoft is radically changing support for DOM objects, this is going to make the browser version problem worse instead of better -- and more to the point, could be contributing to this particular problem you're facing.

In terms of support, we had implemented a mixed-source implementation -- we used the OWASP filter as-is, but instead of using the OWASP JS support, we built our own JS functionality to facilitate getting the token onto ever request.  Generally, I wouldn't recommend this as a solution, but if you need to respond to this problem as a Production issue faster than the community can come up with a fix for the cross-browser support, something along those lines may be a viable band-aid approach.


On Mon, Jul 8, 2013 at 2:20 PM, Tom Barber <tom.a.barber at gmail.com> wrote:

Upon finding a similar issue to that you detailed below previously I stumbled across this email you sent last year. Were you able to make progress on this? Our application has to support IE8 L
 My issue specifically is that in IE8 the tokens are not being attached to XMLHttpRequest headers, within the override of the XMLHttpRequest.prototype.onsend  within the js.
Tom ----------------------------------------------------
At the outset, I want to congratulate OWASP for its efforts in getting aframework available for CSRF anti-tokens. This is really a plug-and-play
kind of implementation. 
But then, I am facing an issue with the same while implementing the samefor IE8 browser. I get an error related to
XMLHttpRequest.prototype.openis not an object.
 Later I found that, IE8 doesnt have proper Event handling API. Please let
me know what is the way forward on this issue. 
Yours sincerely, 
Sridhar Vedhanabatla 

Owasp-csrfguard mailing list

Owasp-csrfguard at lists.owasp.org


- Paul F. VolpeOCMS Team Leadpaul.volpe at gsa.gov703-605-2617 (w)
585-214-9862 (c)

Owasp-csrfguard mailing list
Owasp-csrfguard at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20130708/e0e3f5aa/attachment.html>

More information about the Owasp-csrfguard mailing list