Last update: 4 August 2017
With an Internet Explorer update deployed by Windows Update, the Cross-Site Scripting Filter (XSS-Filter) of Internet Explorer was updated. With this update installed at the client, the Fabasoft eGov-Suite does not work as expected.
Information about the Microsoft Security Bulletin MS11-099 can be found at http://technet.microsoft.com/security/bulletin/MS11-099 .
When you work in the Fabasoft eGov-Suite / Fabasoft Folio using Microsoft Internet Explorer and a new window is opened (e.g. by editing an object), you get a warning in the browsers Information Bar, Internet Explorer has modified this page to prevent a potential cross-site scripting attack. Click here for more information... . The window you opened stays empty.
Our current tests and feedback of our customers confirm this behaviour at least for the following configuration:
UPDATE: Fabasoft could verify that the behaviour also may occour with current Fabasoft Folio 2011 and Fabasoft Folio 2012 installations if VAPPs are opened in a new window (instead of the overlay technology). This issue is fixed in Fabasoft Folio 2012 Summer Release.
The Internet Explorer zone "Local Intranet" has disabled the XSS-Filter by default. If you run Fabasoft eGov-Suite in the "Trusted sites" zone, move the URL to the "Local Intranet" zone. This will avoid the behaviour.
This setting can be rolled out by a domain policy.
Note: Please double-check, that XSS filter is disabled in the "Local Intranet" zone. If this is not the case, use solution 2.
Use this workaround to disable the XSS filter for the used security zone in Internet Explorer and re-enable the functionality of Fabasoft eGov-Suite:
This setting can be rolled out by a domain policy.
Use this workaround to let IIS send a special http header telling the client to disable the XSS filter for this specific webserver. This configuration is done on the webservers and therefore the easiest way to implement. No client configuration is necessary.
1. Open /etc/fabasoft/web/Webservice_.conf for each Webservice
2. Add the module mod_headers
LoadModule headers_module /usr/lib64/httpd/modules/mod_headers.so
3. Add a line
Header set X-XSS-Protection "0"
for example into Directory section
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Header set X-XSS-Protection "0"
4. Restart the Webservice