Forum Discussion

Yann_Desmarest's avatar
May 25, 2016

Enable AJAX blocking behavior (JavaScript injection)?

Hi,

 

Does someone know exactly what kind of javascript is injected by this ASM feature and how it works exactly ?

 

Best Regards

 

Yann

 

2 Replies

  • Hello Yann, will have to dig into it. My guess so far is that ajax requests are not interactive with the end user most of the time, what i mean is you use it to retrieve content to be used by the pages locally. So an error page will not be displayed by the return of an ajax call. The feature seems to respond with a javascript which will be interpreted by the browser and lauching a popup with the error message.

     

  • Final results :

     

    Bug 1 : even if you disable AJAX response in your security policy, you get an AJAX response page as long as there is x-ts-ajax-request:true header present in the request.

     

    Bug 2 : The feature inject a javascript code within the site which works fine for all browsers except IE11. The browser refuse to execute the code for security reasons. After checking, it sounds that it's a bug on IE11, but Microsoft states in a blog post that only security issues will be fixed. After digging into the Internet Explorer configuration, this is working when we set Compatibility Mode to IE8 but most of modern websites fail in that case.