"a OWASP CSRFGuard JavaScript was included from within an unauthorized domain".
The problem lies in request.getRequestURL() used by JavaScriptServlet to get the domain origin. When there is a proxyPass between browser and web-Server, "request.getRequestURL()" returns the computer address of the local web-server as seen by the proxyPass server and not the external proxypass url requested by the client browser.
In this pull-request I modified the JavaScriptServlet so that the class prefers the "X-Forwarded-Host" header if it was populated by proxyPass. This header identifies the original host requested by the client in the Host HTTP request header.
If the traffic flows across a proxyPass, this condition of csrfguard.js is not more satisfied.
The user will receive this error:
The problem lies in request.getRequestURL() used by JavaScriptServlet to get the domain origin. When there is a proxyPass between browser and web-Server, "request.getRequestURL()" returns the computer address of the local web-server as seen by the proxyPass server and not the external proxypass url requested by the client browser.
In this pull-request I modified the JavaScriptServlet so that the class prefers the "X-Forwarded-Host" header if it was populated by proxyPass. This header identifies the original host requested by the client in the Host HTTP request header.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host