I installed an AJAX chat/shoutbox application on a web server and was wondering why it wasn't working under Firefox 3. Using the excellent Mozilla Firefox addon Firebug, I noticed that the request POST to the target PHP script was getting a 403 Forbidden error. I have mod security installed on the server, so I took a look at the audit_log and noticed the following (excerpt) for the particular request that was being denied:
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" at HEADER("Content-Type") [severity "EMERGENCY"]
Apparently Firefox 3 adds "charset=UTF-8" to the Content-Type header. So in summary:
Firefox 2/Internet Explorer sends: "application/x-www-form-urlencoded"
Firefox 3 sends: "application/x-www-form-urlencoded; charset=UTF-8"
So I changed the following in mod_security.conf:
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
to:
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded*|^multipart/form-data)"
And it worked. But now I'm having some oddball caching issue with Firefox 3 where it doesn't want to refresh the AJAX chat application right after a new message has been posted....
Subscribe to:
Post Comments (Atom)
6 comments:
Thank you!
I had the same problem with using xmlHttp and Firefox3. I'm using Ajax based Chat (https://blueimp.net/ajax/) too, so will have to check what the effects are on that.
Thanks for that post, Dave. A question. What do you do when you DON'T have access to the server? I can only write CGI PERL scripts.
A question to Mozilla. Will all the Apache servers on the planet have to be reconfigured because FF3 arrived? Or maybe, all Apache server will have to be replaced with, say, IIS? Am I missing something here, or is there some serious problems with FF3?
Are you sure that your hosting provider has mod_security on? You could ask them to change that particular rule in the mod_security.conf file.
Despite these problems, I still love using Apache and Firefox, however. :-)
Yes, tech journalist, I could ask for changing that rule. At this point it's the only option unless you wanna show the finger to all FF3 users.
Now another question. Why is it that originally, mod security in Apache didn't allow spaces after the content type? I have no idea know, but I'm guessing there might have been a good reason for that.
Maybe allowing for the additional content in that particular header will open Apache to some nasty hack attempts. I'm wondering what someone who administers Apache on a serious system would have to say about that.
^^You do have a point there. I don't know the answer. Perhaps it would be better to add another rule that allows for that specific Firefox 3 Content-Type header.
That sounds like a good solution.
Post a Comment