Index: lams_central/conf/security/Owasp.CsrfGuard.properties
===================================================================
diff -u -r40de3afab4e8d589660daffb6efd6e568e87f8fa -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision 40de3afab4e8d589660daffb6efd6e568e87f8fa)
+++ lams_central/conf/security/Owasp.CsrfGuard.properties	(.../Owasp.CsrfGuard.properties)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -62,6 +62,7 @@
 
 #Author
 org.owasp.csrfguard.protected.centralAuthorSaveLearningDesign=/lams/authoring/saveLearningDesign.do
+org.owasp.csrfguard.protected.centralExportLearningDesign=/lams/authoring/exportToolContent/export.do
 org.owasp.csrfguard.protected.centralAuthorDeleteResource=/lams/workspace/deleteResource.do
 org.owasp.csrfguard.protected.centralAuthorCreateFolder=/lams/workspace/createFolder.do
 org.owasp.csrfguard.protected.centralAuthorRenameResource=/lams/workspace/renameResource.do
@@ -105,6 +106,7 @@
 org.owasp.csrfguard.protected.assessmentDiscloseCorrectAnswers=/lams/tool/laasse10/monitoring/discloseCorrectAnswers.do
 org.owasp.csrfguard.protected.assessmentDiscloseGroupsAnswers=/lams/tool/laasse10/monitoring/discloseGroupsAnswers.do
 org.owasp.csrfguard.protected.assessmentMonitoringSubmissionDeadline=/lams/tool/laasse10/monitoring/setSubmissionDeadline.do
+org.owasp.csrfguard.protected.assessmentMonitoringExportExcel=/lams/tool/laasse10/monitoring/exportSummary.do
 org.owasp.csrfguard.protected.assessmentSaveUserGrade=/lams/tool/laasse10/monitoring/saveUserGrade.do
 
 org.owasp.csrfguard.protected.chatAuthoringSave=/lams/tool/lachat11/authoring/updateContent.do
@@ -139,6 +141,7 @@
 org.owasp.csrfguard.protected.lamcAuthoringSave=/lams/tool/lamc11/authoring/submitAllContent.do
 org.owasp.csrfguard.protected.lamcAuthoringDefineLater=/lams/tool/lamc11/authoring/definelater.do
 org.owasp.csrfguard.protected.lamcMonitoringSubmissionDeadline=/lams/tool/lamc11/monitoring/setSubmissionDeadline.do
+org.owasp.csrfguard.protected.lamcMonitoringExportExcel=/lams/tool/lamc11/monitoring/downloadMarks.do
 org.owasp.csrfguard.protected.lamcSaveUserMark=/lams/tool/lamc11/monitoring/saveUserMark.do
 
 org.owasp.csrfguard.protected.leaderAuthoringSave=/lams/tool/lalead11/authoring/updateContent.do
@@ -197,6 +200,7 @@
 org.owasp.csrfguard.protected.scratchieAuthoringSaveItem=/lams/tool/lascrt11/authoring/saveItem.do
 org.owasp.csrfguard.protected.scratchieAuthoringRemoveItem=/lams/tool/lascrt11/authoring/removeItem.do
 org.owasp.csrfguard.protected.scratchieMonitoringSubmissionDeadline=/lams/tool/lascrt11/monitoring/setSubmissionDeadline.do
+org.owasp.csrfguard.protected.scratchieTblMonitoringExportExcel=/lams/tool/lascrt11/tblmonitoring/exportExcel.do
 org.owasp.csrfguard.protected.scratchieSaveUserMark=/lams/tool/lascrt11/monitoring/saveUserMark.do
 
 org.owasp.csrfguard.protected.spreadsheetAuthoringSave=/lams/tool/lasprd10/authoring/updateContent.do
Index: lams_central/src/java/org/lamsfoundation/lams/authoring/web/ExportToolContentController.java
===================================================================
diff -u -r0d0ccac606a59f73ed3209901b1d7d98371fb4be -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_central/src/java/org/lamsfoundation/lams/authoring/web/ExportToolContentController.java	(.../ExportToolContentController.java)	(revision 0d0ccac606a59f73ed3209901b1d7d98371fb4be)
+++ lams_central/src/java/org/lamsfoundation/lams/authoring/web/ExportToolContentController.java	(.../ExportToolContentController.java)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -42,6 +42,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 /**
@@ -62,7 +63,7 @@
     private Logger log = Logger.getLogger(ExportToolContentController.class);
 
 
-    @RequestMapping("/authoring/exportToolContent/export")
+    @RequestMapping(path = "/authoring/exportToolContent/export", method = RequestMethod.POST)
     @ResponseBody
     private void exportLD(HttpServletRequest request, HttpServletResponse response) {
 	Long learningDesignId = WebUtil.readLongParam(request, ExportToolContentController.PARAM_LEARING_DESIGN_ID);
Index: lams_central/web/authoring/authoring.jsp
===================================================================
diff -u -r4c2d1f37b92435907ec4ce23cb635a7cd9e4161e -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_central/web/authoring/authoring.jsp	(.../authoring.jsp)	(revision 4c2d1f37b92435907ec4ce23cb635a7cd9e4161e)
+++ lams_central/web/authoring/authoring.jsp	(.../authoring.jsp)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <%@ include file="/common/taglibs.jsp"%>
+<%@ page import="org.lamsfoundation.lams.util.Configuration" import="org.lamsfoundation.lams.util.ConfigurationKeys" %>
 
 <lams:html>
 <lams:head>
Index: lams_central/web/error.jsp
===================================================================
diff -u -rae4e7fd3d6b21cb7f41a733565442950cdd9d232 -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_central/web/error.jsp	(.../error.jsp)	(revision ae4e7fd3d6b21cb7f41a733565442950cdd9d232)
+++ lams_central/web/error.jsp	(.../error.jsp)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <%@ include file="/common/taglibs.jsp"%>
+<%@ page language="java" isErrorPage="true" pageEncoding="UTF-8" contentType="text/html;charset=utf-8"%>
 <%@ page import="org.lamsfoundation.lams.util.Configuration" import="org.lamsfoundation.lams.util.ConfigurationKeys" %>
 <c:set var="showErrorStack"><lams:Configuration key='<%= ConfigurationKeys.ERROR_STACK_TRACE %>'/></c:set>
 
Index: lams_central/web/includes/javascript/authoring/authoringMenu.js
===================================================================
diff -u -r495d8ba0d70ac286d4e8aaa40dd390669cf59e99 -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_central/web/includes/javascript/authoring/authoringMenu.js	(.../authoringMenu.js)	(revision 495d8ba0d70ac286d4e8aaa40dd390669cf59e99)
+++ lams_central/web/includes/javascript/authoring/authoringMenu.js	(.../authoringMenu.js)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -250,8 +250,13 @@
 			'modal'	   : true,
 			'title'	   : LABELS.EXPORT_SEQUENCE_DIALOG_TITLE,
 			'open'	   : function() {
-				$('iframe', this).attr('src', LAMS_URL + 'authoring/exportToolContent/export.do?learningDesignID='
-									  	  			   + layout.ld.learningDesignID);
+				//dynamically create a form and submit it
+				var exportExcelUrl = LAMS_URL + 'authoring/exportToolContent/export.do?learningDesignID=' + layout.ld.learningDesignID;
+				var form = $('<form method="post" action="' + exportExcelUrl + '"></form>');
+			    var hiddenInput = $('<input type="hidden" name="' + csrfTokenName + '" value="' + csrfTokenValue + '"></input>');
+			    form.append(hiddenInput);
+			    $(document.body).append(form);
+			    form.submit();
 			}
 		}, false)
 		.addClass('smallHeader')
Index: lams_central/web/profile/portrait.jsp
===================================================================
diff -u -r40de3afab4e8d589660daffb6efd6e568e87f8fa -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_central/web/profile/portrait.jsp	(.../portrait.jsp)	(revision 40de3afab4e8d589660daffb6efd6e568e87f8fa)
+++ lams_central/web/profile/portrait.jsp	(.../portrait.jsp)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -122,9 +122,9 @@
 </lams:head>
 
 <body>
-<form:form action="saveportrait.do" method="post" modelAttribute="PortraitActionForm" id="PortraitActionForm" >
+<c:set var="csrfToken"><csrf:token/></c:set>
+<form:form action="saveportrait.do?${csrfToken}" method="post" modelAttribute="PortraitActionForm" id="PortraitActionForm" >
 	<form:hidden path="portraitUuid" />
-	<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"/>
 	<div style="clear: both"></div>
 	
 	<div class="container">
Index: lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/web/controller/MonitoringController.java
===================================================================
diff -u -r82166d9c82b6d5ef5fd3f22db5174bbee8a286f4 -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/web/controller/MonitoringController.java	(.../MonitoringController.java)	(revision 82166d9c82b6d5ef5fd3f22db5174bbee8a286f4)
+++ lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/web/controller/MonitoringController.java	(.../MonitoringController.java)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -69,11 +69,13 @@
 import org.lamsfoundation.lams.web.util.SessionMap;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.util.HtmlUtils;
 
 import com.fasterxml.jackson.databind.node.ArrayNode;
@@ -495,9 +497,10 @@
     /**
      * Excel Summary Export.
      */
+    @RequestMapping(path = "/exportSummary", method = RequestMethod.POST)
     @SuppressWarnings("unchecked")
-    @RequestMapping("/exportSummary")
-    public String exportSummary(HttpServletRequest request, HttpServletResponse response) throws IOException {
+    @ResponseStatus(HttpStatus.OK)
+    public void exportSummary(HttpServletRequest request, HttpServletResponse response) throws IOException {
 	String sessionMapID = request.getParameter(AssessmentConstants.ATTR_SESSION_MAP_ID);
 	String fileName = null;
 	boolean showUserNames = true;
@@ -521,7 +524,7 @@
 
 	Assessment assessment = service.getAssessmentByContentId(contentId);
 	if (assessment == null) {
-	    return null;
+	    return;
 	}
 
 	List<ExcelSheet> sheets = service.exportSummary(assessment, sessionDtos, showUserNames);
@@ -543,8 +546,6 @@
 
 	ServletOutputStream out = response.getOutputStream();
 	ExcelUtil.createExcel(out, sheets, service.getMessage("label.export.exported.on"), true);
-
-	return null;
     }
 
     @RequestMapping("/statistic")
Index: lams_tool_assessment/web/pages/tblmonitoring/assessmentStudentChoices.jsp
===================================================================
diff -u -r00e3c6b7660be7f304a284698c23aa899862fb98 -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_tool_assessment/web/pages/tblmonitoring/assessmentStudentChoices.jsp	(.../assessmentStudentChoices.jsp)	(revision 00e3c6b7660be7f304a284698c23aa899862fb98)
+++ lams_tool_assessment/web/pages/tblmonitoring/assessmentStudentChoices.jsp	(.../assessmentStudentChoices.jsp)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -8,7 +8,13 @@
 </style>
 <script>
 	function exportExcel(){
-		location.href = "<lams:LAMSURL/>tool/laasse10/monitoring/exportSummary.do?toolContentID=${toolContentID}&downloadTokenValue=dummy&fileName=assessment_export.xlsx&reqID=" + (new Date()).getTime();
+		//dynamically create a form and submit it
+		var exportExcelUrl = "<lams:LAMSURL/>tool/laasse10/monitoring/exportSummary.do?toolContentID=${toolContentID}&downloadTokenValue=dummy&fileName=assessment_export.xlsx&reqID=" + (new Date()).getTime();
+		var form = $('<form method="post" action="' + exportExcelUrl + '"></form>');
+	    var hiddenInput = $('<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"></input>');
+	    form.append(hiddenInput);
+	    $(document.body).append(form);
+	    form.submit();
 	};
 </script>
 
Index: lams_tool_assessment/web/pages/tblmonitoring/iraAssessmentStudentChoices.jsp
===================================================================
diff -u -re7ba02fbd771cb86ff621168fed50bd21d00d0d1 -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_tool_assessment/web/pages/tblmonitoring/iraAssessmentStudentChoices.jsp	(.../iraAssessmentStudentChoices.jsp)	(revision e7ba02fbd771cb86ff621168fed50bd21d00d0d1)
+++ lams_tool_assessment/web/pages/tblmonitoring/iraAssessmentStudentChoices.jsp	(.../iraAssessmentStudentChoices.jsp)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -1,7 +1,13 @@
 <%@ include file="/common/taglibs.jsp"%>
 <script>
 	function exportExcel(){
-		location.href = "<lams:LAMSURL/>tool/laasse10/monitoring/exportSummary.do?toolContentID=${toolContentID}&downloadTokenValue=dummy&fileName=assessment_export.xlsx&reqID=" + (new Date()).getTime();
+		//dynamically create a form and submit it
+		var exportExcelUrl = "<lams:LAMSURL/>tool/laasse10/monitoring/exportSummary.do?toolContentID=${toolContentID}&downloadTokenValue=dummy&fileName=assessment_export.xlsx&reqID=" + (new Date()).getTime();
+		var form = $('<form method="post" action="' + exportExcelUrl + '"></form>');
+	    var hiddenInput = $('<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"></input>');
+	    form.append(hiddenInput);
+	    $(document.body).append(form);
+	    form.submit();
 	};
 </script>
 
Index: lams_tool_lamc/src/java/org/lamsfoundation/lams/tool/mc/web/controller/McMonitoringController.java
===================================================================
diff -u -reacf8690251ab940327df77e457801bbe436476f -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_tool_lamc/src/java/org/lamsfoundation/lams/tool/mc/web/controller/McMonitoringController.java	(.../McMonitoringController.java)	(revision eacf8690251ab940327df77e457801bbe436476f)
+++ lams_tool_lamc/src/java/org/lamsfoundation/lams/tool/mc/web/controller/McMonitoringController.java	(.../McMonitoringController.java)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -260,9 +260,8 @@
     /**
      * downloadMarks
      */
-    @RequestMapping("/downloadMarks")
+    @RequestMapping(path = "/downloadMarks", method = RequestMethod.POST)
     public String downloadMarks(HttpServletRequest request, HttpServletResponse response) throws IOException {
-
 	Long toolContentID = WebUtil.readLongParam(request, AttributeNames.PARAM_TOOL_CONTENT_ID, false);
 
 	McContent mcContent = mcService.getMcContent(new Long(toolContentID));
Index: lams_tool_lamc/web/tblmonitoring/mcqStudentChoices.jsp
===================================================================
diff -u -re7ba02fbd771cb86ff621168fed50bd21d00d0d1 -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_tool_lamc/web/tblmonitoring/mcqStudentChoices.jsp	(.../mcqStudentChoices.jsp)	(revision e7ba02fbd771cb86ff621168fed50bd21d00d0d1)
+++ lams_tool_lamc/web/tblmonitoring/mcqStudentChoices.jsp	(.../mcqStudentChoices.jsp)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -1,7 +1,13 @@
 <%@ include file="/common/taglibs.jsp"%>
 <script>
 	function exportExcel(){
-		location.href = "<lams:LAMSURL/>tool/lamc11/monitoring/downloadMarks.do?downloadTokenValue=jjj&toolContentID=${toolContentID}&reqID=" + (new Date()).getTime();
+		//dynamically create a form and submit it
+		var exportExcelUrl = "<lams:LAMSURL/>tool/lamc11/monitoring/downloadMarks.do?downloadTokenValue=jjj&toolContentID=${toolContentID}&reqID=" + (new Date()).getTime();
+		var form = $('<form method="post" action="' + exportExcelUrl + '"></form>');
+	    var hiddenInput = $('<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"></input>');
+	    form.append(hiddenInput);
+	    $(document.body).append(form);
+	    form.submit();
 	};
 </script>
 
Index: lams_tool_scratchie/src/java/org/lamsfoundation/lams/tool/scratchie/web/controller/TblMonitorController.java
===================================================================
diff -u -rcbf95a868252401757c61327b3d9a383119ff9b5 -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_tool_scratchie/src/java/org/lamsfoundation/lams/tool/scratchie/web/controller/TblMonitorController.java	(.../TblMonitorController.java)	(revision cbf95a868252401757c61327b3d9a383119ff9b5)
+++ lams_tool_scratchie/src/java/org/lamsfoundation/lams/tool/scratchie/web/controller/TblMonitorController.java	(.../TblMonitorController.java)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -63,6 +63,7 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.ResponseStatus;
 
@@ -186,10 +187,8 @@
      * Exports tool results into excel.
      *
      * Had to move it from the tool as tool uses SessionMap
-     *
-     * @throws IOException
      */
-    @RequestMapping("/exportExcel")
+    @RequestMapping(path = "/exportExcel", method = RequestMethod.POST)
     @ResponseStatus(HttpStatus.OK)
     public void exportExcel(HttpServletRequest request, HttpServletResponse response) throws IOException {
 
Index: lams_tool_scratchie/web/pages/tblmonitoring/traStudentChoices.jsp
===================================================================
diff -u -rcbf95a868252401757c61327b3d9a383119ff9b5 -rbac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7
--- lams_tool_scratchie/web/pages/tblmonitoring/traStudentChoices.jsp	(.../traStudentChoices.jsp)	(revision cbf95a868252401757c61327b3d9a383119ff9b5)
+++ lams_tool_scratchie/web/pages/tblmonitoring/traStudentChoices.jsp	(.../traStudentChoices.jsp)	(revision bac8a1d9f2b37ca6e26f275886b9e6603a6c0fb7)
@@ -32,7 +32,13 @@
 
 <script>
 	function exportExcel(){
-		location.href = "<lams:LAMSURL/>tool/lascrt11/tblmonitoring/exportExcel.do?toolContentID=${toolContentID}&reqID=" + (new Date()).getTime();
+		//dynamically create a form and submit it
+		var exportExcelUrl = "<lams:LAMSURL/>tool/lascrt11/tblmonitoring/exportExcel.do?toolContentID=${toolContentID}&reqID=" + (new Date()).getTime();
+		var form = $('<form method="post" action="' + exportExcelUrl + '"></form>');
+	    var hiddenInput = $('<input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>"></input>');
+	    form.append(hiddenInput);
+	    $(document.body).append(form);
+	    form.submit();
 	};
 </script>