"OWASP CSRFGuard JavaScript was included from within an unauthorized domain"

Table of Contents 

Issue Description

In TIBCO JasperReports® Server v6.3.0 CSRF protection changed, and there is a known defect that can impact reverse-proxy setups.

The first symptom is that certain actions in TIBCO JasperReports Server UI lead back to the home page unexpectedly and that the CSRF token seems to be getting lost or not set as indicated by a runtime, serverside log message like:

ERROR CsrfGuard,http-apr-16220-exec-25:44 - potential cross-site request forgery (CSRF) attack thwarted (user:, ip:(null),
      method:POST, uri:/jasperserver-pro/flow.html, error:required token is missing from the request)

The second symptom which will confirm this problem is seen as a javascript error within browser developer tools (f12 keyboard key), the message states:

OWASP CSRFGuard JavaScript was included from within an unauthorized domain

Due to this javascript error, we fail to set the token, and the lack of token results in the runtime error which causes the page redirection to home and the server log entry.


Resolution

backup, then edit the file: \webapps\jasperserver-pro\WEB-INF\csrf\jrs.csrfguard.js

Find this line:

if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {

Change it to:

if(true) {

The attached js file has this fix applied. It is valid for JasperReports Server v6.4.2.

Save and restart.

Browsers may cache the "JavaScriptServlet" content, which is how the jrs.csrfguard.js loads in the browser, so you may need to force a browser cache refresh before this update has an effect.


Ref. Case 01530101

Feedback