1. The logic in the ajax.html test page from the JSP test webapp inco…

…rrectly assumed that HTTP status code 200 always means the CSRF token validation succeeded. This is not the case if the default error redirect action is enabled that returns the error.html page.

2. Added OWASP favicon.ico

csrfguard-test/csrfguard-test-jsp/src/main/webapp/ajax.html

@@ -1,75 +1,70 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
+<html lang="en">
+<script src="/JavaScriptServlet" type="text/javascript"></script>
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Ajax Header Verification</title>
-<script type="text/javascript">
-function ajax(method, uri, body) {
-	var xhr = new XMLHttpRequest();
+    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+    <title>Ajax Header Verification</title>
+    <script type="text/javascript">
+        function ajax(method, uri, body) {
+            const xhr = new XMLHttpRequest();
 
-	xhr.onreadystatechange = function() {
-		//alert("readyState: " + xhr.readyState + " status: " + xhr.status + " text: " + xhr.statusText);
-		if(xhr.readyState == 4) {
-			if(xhr.status == 200) {
-				alert('200: passed csrf check');
-			} else {
-				alert(xhr.status + ': failed csrf check');
-			}
-		}
-	}
+            xhr.onreadystatechange = function () {
+                if (xhr.readyState === 4) {
+                    if (xhr.status === 200 && xhr.responseURL.endsWith(uri)) {
+                        alert('200: CSRF check passed!');
+                    } else {
+                        alert('CSRF check FAILED!\nStatus code: ' + xhr.status + '\nResponse URL:\n' + xhr.responseURL);
+                    }
+                }
+            }
 
-	xhr.open(method, uri, true);
-	xhr.send(body);
-}
+            xhr.open(method, uri, true);
+            xhr.send(body);
+        }
 
-function sendForm() {
-	var form = document.getElementById('form');
+        function sendForm() {
+            let body = 'text=' + document.getElementById('text').value;
+            body = body + '&submit=' + document.getElementById('submit').value;
 
-	var body = 'text=' + document.getElementById('text').value;
-	body = body + '&submit=' + document.getElementById('submit').value;
+            ajax('POST', 'protect.html', body);
+        }
 
-	ajax('POST', 'protect.html', body);
-}
+        function domTest() {
+            const div = document.getElementById('ajax');
 
-function domTest() {
-	div = document.getElementById('ajax');
+            const internalAnchor = document.createElement('a');
+            internalAnchor.setAttribute('href', 'protect.html');
+            internalAnchor.appendChild(document.createTextNode('protect.html'));
 
-	anchor = document.createElement('a');
-	anchor.setAttribute('href', 'protect.html');
-	anchor.appendChild(document.createTextNode('protect.html'));
-
-	div.appendChild(anchor);
-	div.appendChild(document.createElement('br'));
-	div.appendChild(document.createElement('br'));
-
-	anchor = document.createElement('a');
-	anchor.setAttribute('href', 'google.com');
-	anchor.appendChild(document.createTextNode('google.com'));
-
-	div.appendChild(anchor);
-	div.appendChild(document.createElement('br'));
-	div.appendChild(document.createElement('br'));
-}
+            div.appendChild(internalAnchor);
+            div.appendChild(document.createElement('br'));
+            div.appendChild(document.createElement('br'));
 
-</script>
+            const externalAnchor = document.createElement('a');
+            externalAnchor.setAttribute('href', 'https://www.google.com');
+            externalAnchor.appendChild(document.createTextNode('google.com'));
+
+            div.appendChild(externalAnchor);
+            div.appendChild(document.createElement('br'));
+            div.appendChild(document.createElement('br'));
+        }
+    </script>
 </head>
 <body onload="javascript:domTest();">
-<h3>Test Link(s)</h3>
-<ul>
-	<li><a href="#" onclick="ajax('GET', 'protect.html', '')">protect.html</a></li>
-	<li><a href="#" onclick="ajax('GET', '/protect.html', '')">/protect.html</a></li>
-	<li><a href="#" onclick="ajax('GET', 'http://localhost/test.html', '')">http://localhost/test.html</a></li>
-	<li><a href="#">javascript:alert('test')</a></li>
-</ul>
-<br/>
-<h3>Test Form(s)</h3>
-<form id="form" name="test1" action="#" onsubmit="return false">
-	<input id="text" type="text" name="text" value="text"/>
-	<input id="submit" type="submit" name="submit" value="submit" onclick="sendForm()"/>
-</form>
-<h3>Dom Test</h3>
-<div id="ajax"></div>
+	<h3>Test Link(s)</h3>
+	<ul>
+		<li><a href="#" onclick="ajax('GET', 'protect.html', '')">protect.html</a></li>
+		<li><a href="#" onclick="ajax('GET', '/protect.html', '')">/protect.html</a></li>
+		<li><a href="#" onclick="ajax('GET', '/test.html', '')">test.html</a></li>
+		<li><a href="#">javascript:alert('test')</a></li>
+	</ul>
+	<br/>
+	<h3>Test Form(s)</h3>
+	<form id="form" name="test1" action="#" onsubmit="return false">
+		<input id="text" type="text" name="text" value="text"/>
+		<input id="submit" type="submit" name="submit" value="submit" onclick="sendForm()"/>
+	</form>
+	<h3>Dom Test</h3>
+	<div id="ajax"></div>
 </body>
-<!-- OWASP CSRFGuard Ajax Support -->
-<script src="/JavaScriptServlet"></script>
 </html>