CSRF-Protector-PHP
CSRF-Protector-PHP copied to clipboard
ActiveXObject false negative in IE 11
Sorry to keep bothering you, but I have discovered another problem, specific to IE 11. Apparently, in IE11, typeof ActiveXObject
always evaluates to undefined
, even when new ActiveXObject()
will correctly create an instance of it. As always, here is my simplified example:
<?php
include_once 'csrf-protector/libs/csrf/csrfprotector.php';
csrfProtector::init();
function test_csrfp()
{
echo
'<html>
<body>
<button onclick="submit();">Submit</button>
<script>
function submit()
{
var req = new ActiveXObject("Msxml2.XMLHTTP"); // Microsoft.XMLHTTP also broken
req.open("POST", "index.php", true);
req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
req.send("foo=bar");
}
</script>
</body>
</html>';
}
function success()
{
echo
"<html>
<body>Success</body>
</html>";
}
if ($_POST)
success();
else
test_csrfp();
I can reproduce the problem with IE11, but I haven't tried in older versions. My gut tells me that it's specific to IE11, but can't say for sure.
I don't get how is it related to library? A general practice is to check if the class is available
if (ActiveXObject) {
var axo = new ActiveXObject(<url>);
...
}
Normally yes, but that check is only to confirm whether you can create an instance of it. For IE11 the case is different though. Run my example in IE 11 and see for yourself. The ActiveXObject
will be instantiated and sent correctly, but the request will be blocked by your library. That's because typeof ActiveXObject
is technically undefined
, but you can still create an instance of it by calling new ActiveXObject
, as I have done.
Yes you are correct IE-11 has made changes to hide ActiveXObject
from DOM. https://msdn.microsoft.com/library/dn423948(v=vs.85).aspx
While the check here: https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js#L282 will fail in IE 11 and it will not attach the token. I'll send a fix!
Nice catch man, impressive!
So I checked for fix and it seems that ActiveXObject.prototype.send
is undefined
in IE 11. So the library cannot intercept / add wrapper to that method. This is gonna be tricky.