ActiveXObject false negative in IE 11

[JimmyPruitt]

Sorry to keep bothering you, but I have discovered another problem, specific to IE 11. Apparently, in IE11, typeof ActiveXObject always evaluates to undefined, even when new ActiveXObject() will correctly create an instance of it. As always, here is my simplified example:

<?php
    include_once 'csrf-protector/libs/csrf/csrfprotector.php';
    csrfProtector::init();

    function test_csrfp()
    {
        echo
            '<html>
                <body>
                    <button onclick="submit();">Submit</button>
                    <script>
                        function submit()
                        {
                            var req = new ActiveXObject("Msxml2.XMLHTTP"); // Microsoft.XMLHTTP also broken

                            req.open("POST", "index.php", true);
                            req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
                            req.send("foo=bar");
                        }
                    </script>
                </body>
            </html>';
    }

    function success()
    {
        echo
            "<html>
                <body>Success</body>
            </html>";
    }

    if ($_POST)
        success();

    else
        test_csrfp();

I can reproduce the problem with IE11, but I haven't tried in older versions. My gut tells me that it's specific to IE11, but can't say for sure.

[mebjas]

I don't get how is it related to library? A general practice is to check if the class is available

if (ActiveXObject) {
    var axo = new ActiveXObject(<url>);
    ...
}

[JimmyPruitt]

Normally yes, but that check is only to confirm whether you can create an instance of it. For IE11 the case is different though. Run my example in IE 11 and see for yourself. The ActiveXObject will be instantiated and sent correctly, but the request will be blocked by your library. That's because typeof ActiveXObject is technically undefined, but you can still create an instance of it by calling new ActiveXObject, as I have done.

[mebjas]

Yes you are correct IE-11 has made changes to hide ActiveXObject from DOM. https://msdn.microsoft.com/library/dn423948(v=vs.85).aspx

While the check here: https://github.com/mebjas/CSRF-Protector-PHP/blob/master/js/csrfprotector.js#L282 will fail in IE 11 and it will not attach the token. I'll send a fix!

Nice catch man, impressive!

[mebjas]

So I checked for fix and it seems that ActiveXObject.prototype.send is undefined in IE 11. So the library cannot intercept / add wrapper to that method. This is gonna be tricky.