Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

AJAX Post returns 403 with FireFox

168 views
Skip to first unread message

t...@fmdeveloper.com

unread,
Mar 30, 2007, 2:44:54 PM3/30/07
to dev-...@lists.mozilla.org
Currently transitioning from a shared host to a dedicated server. The same code
that works on the old server is not working on the dedicated server. It is a
simple AJAX request like:

<code>
function createXMLHttpRequest() {
if (window.ActiveXObject) {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
}
else if (window.XMLHttpRequest) {
xmlHttp = new XMLHttpRequest();
}
}


function doRequestUsingPOST() {
createXMLHttpRequest();
var queryString = "response.php?";
queryString = queryString + createQueryString() ;
xmlHttp.onreadystatechange = handleStateChange;
xmlHttp.open("POST", queryString, true);
xmlHttp.send(null);
}
</code>

With the code as is above, the requests works fine in IE. With Firefox it throws
a 403 on the page. A call to the response.php page with parameters runs
correctly outside of AJAX call. Changing all POST requests to GET resolves the
issue, but I would prefer not to have to change ALL POST requests to GET requests.

Does anyone know of a setting on the new server that can cause FireFox (1.5.x
and 2.0.x) to return a 403 with an AJAX post call?


Francis S

unread,
May 25, 2007, 10:38:17 AM5/25/07
to

//in .htaccess

SecFilterEngine Off

Tim Cormier

unread,
May 27, 2007, 11:26:38 PM5/27/07
to dev-...@lists.mozilla.org
That was the solution. Any idea why it only creates an issue with FireFox? I
would like to be able to run the server with this setting on...but also want
FireFox to work. Do you think it is a FireFox bug, or the security filter
bug, or not a bug at all?

Tim

Message: 1
Date: 25 May 2007 07:38:17 -0700
From: Francis S <franc...@gmail.com>
Subject: Re: AJAX Post returns 403 with FireFox
To: dev-...@lists.mozilla.org
Message-ID: <1180103897....@q19g2000prn.googlegroups.com>
Content-Type: text/plain; charset="iso-8859-1"

//in .htaccess

SecFilterEngine Off

------------------------------

_______________________________________________
dev-ajax mailing list
dev-...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-ajax


End of dev-ajax Digest, Vol 16, Issue 5
***************************************

James Ross

unread,
May 28, 2007, 5:55:44 PM5/28/07
to
"Tim Cormier" <t...@fmdeveloper.com> wrote in message
news:mailman.48.118032...@lists.mozilla.org...

> That was the solution. Any idea why it only creates an issue with FireFox?
> I
> would like to be able to run the server with this setting on...but also
> want
> FireFox to work. Do you think it is a FireFox bug, or the security filter
> bug, or not a bug at all?

IIRC, the "issue" is that Firefox doesn't send a Content-Length header with
the POST request if you call send with null or an empty string, and it looks
like Apache's "SecFilterEngine" (security filter I guess) is rejecting the
POST because of the missing header. My understanding is that it is not
required, although without it you cannot use Keep-Alive on that connection
afterwards.

In my current project work, I specifically send a value in the postdata
(which is ignored by the receiving end) to work around this problem.

--
James Ross <sil...@warwickcompsoc.co.uk>
ChatZilla and Venkman Developer

0 new messages