Appendix E - Browser specific issues
This Appendix outlines issues regarding specific browser versions that merchants should address in their BankID Web-client implementation. For an updated list of known issues please see [BIKI]. Contents of the UserAgent blacklist and UserAgent CSP exceptions list are described in [BUBO] and [BUCO] respectively.
Internet Explorer
IE in general
IE and frameMode = redirect
Tests have shown that using Internet Explorer with frameMode = redirect does not work when IE's Trusted sites security levels are set to High. If Trusted sites security levels are set to Low IE displays a question to the user whether she wants to accept the redirect and then the redirect takes place.
IE9
IE9 sends XdomainRequest as text_plain
When receiving XdomainRequests from IE9, the requests are sent with Content-type: text/plain. This is something the merchant application might need to handle differently from requests that are received as Content-type: application/x-www-form-urlencoded.
Note: Some merchants have experienced that IE9 may send requests without any content type specified, thus it is recommended that merchants take this fact into consideration and parse the input manually as if they were of content-type application/x-www-form-urlencoded.
Instead of calling request.getParameter(«paramName»); the parameters must be fetched by calling request.getInputStream(); and subsequently parse the input stream manually.
IE9 and X-ua-compatible
To force Internet Explorer to use the latest engine (i.e. not pretending to be IE8 when it actually is IE9), add the X-ua-compatible parameter as an http response header: bc. X-ua-compatible:IE=edge,chrome=1
response.setHeader("X-UA-Compatible", "IE=edge,chrome=1");
IE9 and withCredentials
IE9 does not support the use of withCredentials, which means merchants cannot rely on the use of cookies for session handling in this case.
IE11
IE 11 and show-hide password dialogue
On devices with IE11 and Windows 8.1 and build versions 11.0.9600 16384 through 11.0.9600 16438 the second password may disappear after both new password have been entered and the buttons Show password and Hide password have been tapped during a password change-process.
This bug is resolved by installing the Cumulative Security Update for Internet Explorer 11 for Windows 8.1 (KB2925418) or newer. This problem does not occur on devices with build versions 11.0.9600 16521 and newer.
IE and security zones
Internet Explorer assigns all websites to a security zone. The default zone is the Internet zone. If the URL follows the UNC naming convention, does not include any periods or it bypasses the proxy server, it will automatically be assigned to the Local Intranet zone1.
Web sites assigned to different security zones are generally not allowed to communicate with each other. If the merchant application has been assigned to either the Local Intranet zone or in Trusted sites, the *.bankid.no domain also needs to be assigned to the same security zone as the merchant application.
IE and frameMode=”window”
The Helper and the Web-client communicate through the use of postMessage. IE only allows postMessage between a window and an embedded iframe. This effectively means that frameMode="window" does not work on IE.
Firefox
Firefox and character ‘;’ in merchant URL
Firefox versions 33 – 35 in combination with merchantURLs containing the character ';' have revealed problems with regards to how Firefox handles CSP. The error was reported to Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1094067. A fix was included in version 37.