Based in Melbourne, Australia.

Developer
Life

Blocking Internet Explorer - HTTP XSLT

Blocking Internet Explorer - HTTP XSLT

Anthony Galiamov
ISAM
 

Browser User Agent Checking - Internet Explorer

When Microsoft released Internet Explorer, it blew everyone’s socks right off. Developers finally had a browser that supported CSS, was incredibly fast, supported dynamic HTML, was available cross-platform and even introduced Java and applets to the world. It even had 95 percent market share by 2003.

But that has all changed over the years.
It’s now 3.5 times slower than modern browsers, it’s barely being supported by Microsoft and will be end-of-life by 2025, it doesn’t support modern JavaScript or CSS standards and the worst part, just having Internet Explorer on your computer at all can expose you to security threats. Not fun!

So, how do we block it from being used?
A useful link to start with is: How to check the user is using Internet Explorer

Writing our XSLT Rule

Here’s an example looking for Trident in the user-agent HTTP request header. If the test is successful, we’ll return a location header in the response to the browser, directing it to redirect to a error page we’ve hosted. If Trident isn’t found in the header, the request will be passed onto the server to respond.

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">

    <xsl:strip-space elements="*" />

    <xsl:template match="/">
        <HTTPRequestChange>
            <xsl:apply-templates />
        </HTTPRequestChange>
    </xsl:template>

    <xsl:variable name="host">
        <xsl:value-of select="//HTTPRequest/Headers/Header[@name='host']" />
    </xsl:variable>

    <xsl:variable name="user-agent">
        <xsl:value-of select="//HTTPRequest/Headers/Header[@name='user-agent']" />
    </xsl:variable>

    <xsl:template match="//HTTPRequest/Headers" />
    <xsl:template match="//HTTPRequest/Cookies" />
    <xsl:template match="//HTTPRequest/RequestLine/URI">
        <xsl:variable name="uri" select="node()" />
        <xsl:if test="contains($user-agent,'Trident')">
            <HTTPResponseChange action="replace">
                <Version>HTTP/1.1</Version>
                <StatusCode>302</StatusCode>
                <Header name="location" action="add"><xsl:value-of select="$host" />/error/unsupported-browser</Header>
                <Header name="content-type" action="add">application/json</Header>
                <Body>{"error":"Unsupported browser"}</Body>
            </HTTPResponseChange>
        </xsl:if>
    </xsl:template>
    <xsl:template match="//HTTPRequest/Scheme" />

</xsl:stylesheet>

Testing you XSLT rule

You can test your HTTP XSL Transformation rule using this online tool: XSLT Test
Here’s a sample request you can use. Feel free to change it up if needed.

<?xml version="1.0" encoding="UTF-8"?>
<HTTPRequest>
    <RequestLine>
        <Method>GET</Method>
        <URI>/en/us/</URI>
        <Version>HTTP/1.1</Version>
    </RequestLine>
    <Headers>
        <Header name="host">www.ibm.com</Header>
        <Header name="user-agent">Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko</Header>
    </Headers>
</HTTPRequest>

Attaching the rule to the request - ACL

In IBM Security Access Manager (ISAM), go to your web settings, select reverse proxy, select your instance and in the reverse proxy configuration file, you can now apply a transformation rule using URL matching as shown below.

Just remember to have added your XSLT rule to HTTP Transformations and deployed your changes. You kind of need to have something to attach to your WebSEAL instance.

[http-transformations]
# The following files are currently available for this configuration entry:
# - app-useragent.xslt
app-useragent = app-useragent.xslt

[http-transformations:app-useragent]
request-match = request:GET /authorise*
 
Creating Cookies with Javascript

Creating Cookies with Javascript