ModSecurity vs FF3 and XMLHttpRequest

[MarkP]

Dose anyone know why post requests made by firefox 3 using XMLHttpRequest are blocked buy mod_security?
All the other browsers (incl ff2) work fine and when I turn the SecFilterEngine off, firefox 3 can be used as well.

[NickJ]

Versions of Firefox prior to version 3 always send the request
using UTF-8 encoding; Firefox 3 properly sends the document using the
encoding specified by data.xmlEncoding, or UTF-8 if no encoding is
specified. You can refer developer.mozilla.org/en/docs/XMLHttpRequest for further information.

Regards,
Nick J.

[NickJ]

Also, as per computer-internet.marc8.com/encoding-issue-xmlhttprequest-and-firefox-3-christian-sto

In Firefox 3.0.0 there is a "strange" regression issue regarding the encoding of XMLHttpRequest requests.

It's not a bug per se, it's just different behavior, which we ran into (and no other browser does it this way)

What we basically do on the client side in javascript:

this.data = new XMLHttpRequest(); this.data.open('POST', dataURI); this.data.send(xml);

where "xml" is a DOMDocument Object.

In Firefox 2.0 this request came with a

Content-Type: application/xml

and the xml in the POST...

[MarkP]

Thanks for replying.
I have read through the pages referenced but I am not sure what I need to do.
the second page seems to be about what to do when the script receiving xml gets it in the wrong encoding.

My problem seems to be it doesn't get that far and I just get index.php sent back to me unless I turn off mod_security.

these are the first headers that are sent
it dose have the
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
which seems to be different from other browsers
but i don't understand what I need to change

Code:

POST /**** HTTP/1.1
Host: ******
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9) Gecko/2008052906 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: ******
Content-Length: 33
Pragma: no-cache
Cache-Control: no-cache
***what ever i sent here


HTTP/1.x 302 Found
Date: Tue, 08 Jul 2008 21:10:37 GMT
Server: Microsoft-IIS/5.0
Location: /
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

p.s why dose the server say it is Microsoft-IIS not apache?

[eUKhost.com]

Quote:

Originally Posted by MarkP

p.s why dose the server say it is Microsoft-IIS not apache?

Hi Mark,

We have changed banners on all our servers to misguide hackers / crackers. We've left no way for the kids to find out actual version of running softwares on our servers.

I have asked other members of staff to answer your other questions.

[smiffsoft]

Is this thread any help?

FF3 using POST with XMLHttpRequest • mozillaZine Forums

[MarkP]

Quote:

Originally Posted by smiffsoft

Is this thread any help?

Haha. Not really, I started that thread.
I didn't understand what was happening with ff3. So now I know it sends the content-type header differently (including the charset) and that the request seems to get blocked by the security settings on the server (which is why I started this thread).

But I am still fairly confused and don't know what I have to change in the browser side code or on the server (without turning the filter off completely).