<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Yes it is the injection of tokens into links etc… not getting any error for ajax request. I am not able to see any CSRF token in IE8.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Thanks,<o:p></o:p></span></b></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Unmesh Desale<br></span></b><b><u><span lang=EN style='font-size:10.0pt;font-family:"Arial","sans-serif";color:gray'>________________________________</span></u></b><b><span lang=EN style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Office:</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'> +91 20 40754 4823  <b>Mobile: </b>+91 9657725432<b>  <u><br></u>unmesh_desale@symantec.com</b></span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'><br></span><b><u><span lang=EN style='font-size:10.0pt;font-family:"Arial","sans-serif";color:gray'>________________________________</span></u></b><b><span lang=EN style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Tom Barber [mailto:tom.a.barber@gmail.com] <br><b>Sent:</b> Tuesday, August 06, 2013 1:57 PM<br><b>To:</b> Unmesh Desale<br><b>Cc:</b> owasp-csrfguard@lists.owasp.org; Rajesh Punjabi<br><b>Subject:</b> Re: [Owasp-csrfguard] Issue with IE8<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><p>Is it the injection of tokens into links etc or ajax requests that is failing? I found that xmlhttprequest injection doesn't work in <ie9<o:p></o:p></p><div><p class=MsoNormal>On Aug 6, 2013 6:34 AM, "Unmesh Desale" <<a href="mailto:Unmesh_Desale@symantec.com">Unmesh_Desale@symantec.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Rajesh,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Tried the below solution but it is still not able to inject the token. Whenever I am placing one alert message in that function then I am able to see CRSF token in resulting html (IE8).</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New";background:silver'>element</span><span style='font-size:10.0pt;font-family:"Courier New"'>.setAttribute(attr, location);</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Courier New";color:#3F7F5F'>alert('token injected:' + value);</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Courier New";color:#3F7F5F'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Below are my settings for servelet in web.xml;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><u><span style='font-size:10.0pt;font-family:"Courier New"'><servlet></span></u><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            <servlet-name>JavaScriptServlet</servlet-name></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            <init-<u>param</u>></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>                  <param-name>source-file</param-name></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>                  <param-value>WEB-INF/Owasp.CsrfGuard.js</param-value></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            </init-<u>param</u>></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            <init-<u>param</u>></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>                  <param-name>inject-into-forms</param-name></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>                  <param-value>true</param-value></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            </init-<u>param</u>></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            <init-<u>param</u>></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>                  <param-name>inject-into-attributes</param-name></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>                  <param-value>true</param-value></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            </init-<u>param</u>></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            <init-<u>param</u>></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>                  <param-name>domain-strict</param-name></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>                  <param-value>true</param-value></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            </init-<u>param</u>></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            <init-<u>param</u>></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>                  <param-name><u>referer</u>-pattern</param-name></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>                  <param-value>.*<u>localhost</u>:8080.*</param-value></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>            </init-<u>param</u>>           </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><u><span style='font-size:10.0pt;font-family:"Courier New"'></servlet></span></u><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Below are settings for CSRF Guard Properties:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Courier New"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.Logger=org.owasp.csrfguard.log.ConsoleLogger</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.TokenPerPage=true</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.TokenPerPagePrecreate=false</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.Ajax=true</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.Default=/appliance</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.JavaScriptServlet=/appliance/JavaScriptServlet</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.JavaScript=*.js</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.css=*.css</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.html=*.html</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.png=*.png</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.jpg=*.jpg</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.ico=*.ico</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.gif=*.gif</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.Tag=/tag.jsp</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.jsp=*.jsp</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.Error=/appliance/error.html</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.Patch=/appliance/manage.appliance.patch.details.do</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.SecurityEdit=/appliance/settings.appreconfig.security.edit.do</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.unprotected.launchInitConfig=/appliance/launch.configure.appliance.do</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.action.Log=org.owasp.csrfguard.action.Log</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.action.Log.Message=potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.action.Redirect=org.owasp.csrfguard.action.Redirect</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.action.Redirect.Page=/appliance/error.html</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.action.Rotate=org.owasp.csrfguard.action.Rotate</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.SessionKey=OWASP_CSRFTOKEN</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.TokenLength=32</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>org.owasp.csrfguard.PRNG=SHA1PRNG</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Thanks,</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Unmesh Desale<br></span></b><b><u><span lang=EN style='font-size:10.0pt;font-family:"Arial","sans-serif";color:gray'>________________________________</span></u></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Office:</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#1F497D'> +91 20 40754 4823  <b>Mobile: </b>+91 9657725432<b>  <u><br></u>unmesh_desale@symantec.com</b><br></span><b><u><span lang=EN style='font-size:10.0pt;font-family:"Arial","sans-serif";color:gray'>________________________________</span></u></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rajesh Punjabi [mailto:rajesh_punjabi@hotmail.com] <br><b>Sent:</b> Monday, August 05, 2013 10:44 PM<br><b>To:</b> Unmesh Desale; owasp-csrfguard@lists.owasp.org<br><b>Subject:</b> RE: [Owasp-csrfguard] Issue with IE8</span><o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>I got into the same issue and here is what I wrote earlier on a thread.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>It seems when the JavaScriptServlet injects tokens to all the elements in the DOM, it also attaches the token to <script src=''> and <link href=''>.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>In IE8 the browser loads all the css files and JS files twice.  This seems to screw up things.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>You could try to make the INJECT_ATTRIBUTES parameter as false.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>Alternatively, if you think this may break some functionality you desire then in the injectTokenAttribute() method I added the following line. (more of a hack)</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>if(location != null && isValidUrl(location) && !location.toLowerCase().endsWith(".css") && !location.toLowerCase().endsWith(".js") && !location.toLowerCase().endsWith("javascriptservlet")) {</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>    var uri = parseUri(location);</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>    .....................</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>}</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>So basically for js, css files we shouldn't need to attach the CSRFTOKEN attribute.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>HTH</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;line-height:15.85pt'><span style='font-family:"Calibri","sans-serif";color:#444444'>Best,<br>Rajesh</span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><div><div class=MsoNormal align=center style='text-align:center'><span style='font-family:"Calibri","sans-serif"'><hr size=2 width="100%" align=center></span></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span style='font-family:"Calibri","sans-serif"'>From: Unmesh_Desale@symantec.com<br>To: owasp-csrfguard@lists.owasp.org<br>Date: Mon, 5 Aug 2013 05:41:03 -0700<br>Subject: [Owasp-csrfguard] Issue with IE8</span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'>Hi All,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'>I have configured OWASP CSRFGuard for my project. It is working fine when I am browsing my site using Firefox Mozilla but same site doesn’t not work when I browse it through IE 8. This module is not able to inject CSRF token for IE8.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'>Is this module works (supports) IE8 and higher versions? Is it cross-browser compatible?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'>Please suggest me some solution. I am in urgent need of help.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Thanks,</span></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Unmesh Desale<br></span></b><b><u><span lang=EN style='font-size:10.0pt;font-family:"Arial","sans-serif";color:gray'>________________________________</span></u></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Office:</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> +91 20 40754 4823  <b>Mobile: </b>+91 9657725432<b>  <u><br></u>unmesh_desale@symantec.com</b><span style='color:#1F497D'><br></span></span><b><u><span lang=EN style='font-size:10.0pt;font-family:"Arial","sans-serif";color:gray'>________________________________</span></u></b><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'> </span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Calibri","sans-serif"'><br>_______________________________________________ Owasp-csrfguard mailing list Owasp-csrfguard@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-csrfguard</span><o:p></o:p></p></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Owasp-csrfguard mailing list<br><a href="mailto:Owasp-csrfguard@lists.owasp.org">Owasp-csrfguard@lists.owasp.org</a><br><a href="https://lists.owasp.org/mailman/listinfo/owasp-csrfguard">https://lists.owasp.org/mailman/listinfo/owasp-csrfguard</a><o:p></o:p></p></div></div></body></html>