ModSecurity vs FF3 and XMLHttpRequest

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    ModSecurity vs FF3 and XMLHttpRequest

    Dose anyone know why post requests made by firefox 3 using XMLHttpRequest are blocked buy mod_security?
    All the other browsers (incl ff2) work fine and when I turn the SecFilterEngine off, firefox 3 can be used as well.

    #2
    Versions of Firefox prior to version 3 always send the request
    using UTF-8 encoding; Firefox 3 properly sends the document using the
    encoding specified by data.xmlEncoding, or UTF-8 if no encoding is
    specified. You can refer developer.mozilla.org/en/docs/XMLHttpRequest for further information.

    Regards,
    Nick J.
    Last edited by NickJ; 08-07-2008, 17:59.

    Comment


      #3
      Also, as per computer-internet.marc8.com/encoding-issue-xmlhttprequest-and-firefox-3-christian-sto

      In Firefox 3.0.0 there is a "strange" regression issue regarding the encoding of XMLHttpRequest requests.

      It's not a bug per se, it's just different behavior, which we ran into (and no other browser does it this way)

      What we basically do on the client side in JavaScript:

      this.data = new XMLHttpRequest(); this.data.open('POST', dataURI); this.data.send(xml);

      where "xml" is a DOMDocument Object.

      In Firefox 2.0 this request came with a

      Content-Type: application/xml

      and the xml in the POST...
      Last edited by NickJ; 08-07-2008, 17:53.

      Comment


        #4
        Thanks for replying.
        I have read through the pages referenced but I am not sure what I need to do.
        the second page seems to be about what to do when the script receiving xml gets it in the wrong encoding.

        My problem seems to be it doesn't get that far and I just get index.php sent back to me unless I turn off mod_security.

        these are the first headers that are sent
        it dose have the
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        which seems to be different from other browsers
        but i don't understand what I need to change

        Code:
        POST /**** HTTP/1.1
        Host: ******
        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9) Gecko/2008052906 Firefox/3.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-gb,en;q=0.5
        Accept-Encoding: gzip,deflate
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Keep-Alive: 300
        Connection: keep-alive
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        Referer: ******
        Content-Length: 33
        Pragma: no-cache
        Cache-Control: no-cache
        ***what ever i sent here
        
        
        HTTP/1.x 302 Found
        Date: Tue, 08 Jul 2008 21:10:37 GMT
        Server: Microsoft-IIS/5.0
        Location: /
        Keep-Alive: timeout=15, max=99
        Connection: Keep-Alive
        Transfer-Encoding: chunked
        Content-Type: text/html; charset=iso-8859-1
        p.s why dose the server say it is Microsoft-IIS not apache?

        Comment


          #5
          Originally posted by MarkP View Post
          p.s why dose the server say it is Microsoft-IIS not apache?
          Hi Mark,

          We have changed banners on all our servers to misguide hackers / crackers. We've left no way for the kids to find out actual version of running softwares on our servers.

          I have asked other members of staff to answer your other questions.
          eUKhost - eNlight Cloud Hosting || eUKhost Knowledgebase
          Toll Free : 0808 262 0255 || Skype : mark_ducadi

          Comment


            #6
            Is this thread any help?

            FF3 using POST with XMLHttpRequest • mozillaZine Forums

            Comment


              #7
              Originally posted by smiffsoft View Post
              Is this thread any help?
              Haha. Not really, I started that thread.
              I didn't understand what was happening with ff3. So now I know it sends the content-type header differently (including the charset) and that the request seems to get blocked by the security settings on the server (which is why I started this thread).

              But I am still fairly confused and don't know what I have to change in the browser side code or on the server (without turning the filter off completely).

              Comment

              Working...
              X