CSRF-Protector-PHP icon indicating copy to clipboard operation
CSRF-Protector-PHP copied to clipboard

Published 20 hours ago verified publisher icon mebjas

ActiveXObject false negative in IE 11

Open JimmyPruitt opened this issue 7 years ago • 4 comments

Sorry to keep bothering you, but I have discovered another problem, specific to IE 11. Apparently, in IE11, typeof ActiveXObject always evaluates to undefined, even when new ActiveXObject() will correctly create an instance of it. As always, here is my simplified example:

<?php
    include_once 'csrf-protector/libs/csrf/csrfprotector.php';
    csrfProtector::init();

    function test_csrfp()
    {
        echo
            '<html>
                <body>
                    <button onclick="submit();">Submit</button>
                    <script>
                        function submit()
                        {
                            var req = new ActiveXObject("Msxml2.XMLHTTP"); // Microsoft.XMLHTTP also broken

                            req.open("POST", "index.php", true);
                            req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
                            req.send("foo=bar");
                        }
                    </script>
                </body>
            </html>';
    }

    function success()
    {
        echo
            "<html>
                <body>Success</body>
            </html>";
    }

    if ($_POST)
        success();

    else
        test_csrfp();

I can reproduce the problem with IE11, but I haven't tried in older versions. My gut tells me that it's specific to IE11, but can't say for sure.

JimmyPruitt avatar Feb 07 '17 23:02 JimmyPruitt

I don't get how is it related to library? A general practice is to check if the class is available

if (ActiveXObject) {
    var axo = new ActiveXObject(<url>);
    ...
}

mebjas avatar Feb 11 '17 23:02 mebjas

Normally yes, but that check is only to confirm whether you can create an instance of it. For IE11 the case is different though. Run my example in IE 11 and see for yourself. The ActiveXObject will be instantiated and sent correctly, but the request will be blocked by your library. That's because typeof ActiveXObject is technically undefined, but you can still create an instance of it by calling new ActiveXObject, as I have done.

JimmyPruitt avatar Feb 12 '17 01:02 JimmyPruitt

Yes you are correct IE-11 has made changes to hide ActiveXObject from DOM. https://msdn.microsoft.com/library/dn423948(v=vs.85).aspx

While the check here: https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js#L282 will fail in IE 11 and it will not attach the token. I'll send a fix!

Nice catch man, impressive!

mebjas avatar Feb 12 '17 10:02 mebjas

So I checked for fix and it seems that ActiveXObject.prototype.send is undefined in IE 11. So the library cannot intercept / add wrapper to that method. This is gonna be tricky.

mebjas avatar Feb 12 '17 13:02 mebjas