xmlHTTP Request returns 403 in FireFox when Post used

[FMDeveloper]

Currently transitioning from a shared host to a dedicated server. The
same code that works on the old server is not working on the dedicated
server. It is a simple AJAX request like:

<code>
function createXMLHttpRequest() {
if (window.ActiveXObject) {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
}
else if (window.XMLHttpRequest) {
xmlHttp = new XMLHttpRequest();
}
}


function doRequestUsingPOST() {
createXMLHttpRequest();
var queryString = "response.php?";
queryString = queryString + createQueryString() ;
xmlHttp.onreadystatechange = handleStateChange;
xmlHttp.open("POST", queryString, true);
xmlHttp.send(null);
}
</code>

With the code as is above, the requests works fine in IE. With Firefox
it throws a 403 on the page. A call to the response.php page with
parameters runs correctly outside of AJAX. Changing all POST requests
to GET resolves the issue, but I would prefer not to have to change
ALL POST requests to GET requests.

Does anyone know of a setting on the new server that can cause FireFox
(1.5.x and 2.0.x) to return a 403 with an AJAX post call?

 

[Martin Honnen]

Does anyone know of a setting on the new server that can cause FireFox
(1.5.x and 2.0.x) to return a 403 with an AJAX post call?

The server sends that HTTP response status code. Check whether
responseText contains details why the request is forbidden.

 

[FMDeveloper]

The server sends that HTTP response status code. Check whether
responseText contains details why the request is forbidden.

The responseText only contains the 403 error message from the server

 

[Ian Collins]

The responseText only contains the 403 error message from the server

Then check the server's error log.

 

[pcx99]

Currently transitioning from a shared host to a dedicated server. The
same code that works on the old server is not working on the dedicated
server. It is a simple AJAX request like:

<code>
function createXMLHttpRequest() {
if (window.ActiveXObject) {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
}
else if (window.XMLHttpRequest) {
xmlHttp = new XMLHttpRequest();
}
}


function doRequestUsingPOST() {
createXMLHttpRequest();
var queryString = "response.php?";
queryString = queryString + createQueryString() ;
xmlHttp.onreadystatechange = handleStateChange;
xmlHttp.open("POST", queryString, true);
xmlHttp.send(null);
}
</code>

With the code as is above, the requests works fine in IE. With Firefox
it throws a 403 on the page. A call to the response.php page with
parameters runs correctly outside of AJAX. Changing all POST requests
to GET resolves the issue, but I would prefer not to have to change
ALL POST requests to GET requests.

Does anyone know of a setting on the new server that can cause FireFox
(1.5.x and 2.0.x) to return a 403 with an AJAX post call?

Pretty sure you're getting that error because you didn't set the ajax
header to indicate you were sending data as a post. After your
xmlHttp.open place the following line...

xmlHttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");

If you're not sending anything -- and since you have send(null) you're
not sending any data -- (because posts are sent via xmlHttp.send(data))
then you don't need to use post and get would work quite nicely.

 

[Ian Collins]

Pretty sure you're getting that error because you didn't set the ajax
header to indicate you were sending data as a post. After your
xmlHttp.open place the following line...

xmlHttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");

If you're not sending anything -- and since you have send(null) you're
not sending any data -- (because posts are sent via xmlHttp.send(data))
then you don't need to use post and get would work quite nicely.

I'm sure you only have to set the Content-type on post requests if there
is data being sent.

 

[FMDeveloper]

Then check the server's error log.

No further hint in the log that I can see. The relevant part is below:

63.202.xxx.xxx - - [02/Apr/2007:16:10:33 -0700] "GET /includes/
styles.css HTTP/1.1" 200 3437 "http://host.com/adjustment.php"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/
20070309 Firefox/2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:34 -0700] "GET /adjustment.php
HTTP/1.1" 200 78514 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:35 -0700] "GET /favicon.ico HTTP/
1.1" 200 1150 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:
1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:37 -0700] "GET /finder.php?row=1
HTTP/1.1" 200 3984 "http://host.com/adjustment.php" "Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/
2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:37 -0700] "GET /includes/
style.css HTTP/1.1" 200 1027 "http://host.com/finder.php?row=1"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/
20070309 Firefox/2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:39 -0700] "GET /response.php?
brand=19&ts=1175555465215 HTTP/1.1" 200 1757 "http://host.com/
finder.php?row=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:
1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:40 -0700] "POST /listing.php?
brand=19&size=11L-16&ts=1175555466434 HTTP/1.1" 403 652 "http://
host.com/finder.php?row=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

I changed the first AJAX call to a get and it works. The same type of
call as a post fails.

 

[FMDeveloper]

Then check the server's error log.

No further hint in the log that I can see. The relevant part is below:

63.202.xxx.xxx - - [02/Apr/2007:16:10:33 -0700] "GET/includes/
styles.css HTTP/1.1" 200 3437 "http://host.com/adjustment.php"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/
20070309Firefox/2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:34 -0700] "GET/adjustment.php
HTTP/1.1" 200 78514 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.8.1.3) Gecko/20070309Firefox/2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:35 -0700] "GET/favicon.ico HTTP/
1.1" 200 1150 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:
1.8.1.3) Gecko/20070309Firefox/2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:37 -0700] "GET/finder.php?row=1
HTTP/1.1" 200 3984 "http://host.com/adjustment.php" "Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309Firefox/
2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:37 -0700] "GET/includes/
style.css HTTP/1.1" 200 1027 "http://host.com/finder.php?row=1"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/
20070309Firefox/2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:39 -0700] "GET/response.php?
brand=19&ts=1175555465215 HTTP/1.1" 200 1757 "http://host.com/
finder.php?row=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:
1.8.1.3) Gecko/20070309Firefox/2.0.0.3"
63.202.xxx.xxx - - [02/Apr/2007:16:10:40 -0700] "POST/listing.php?
brand=19&size=11L-16&ts=1175555466434 HTTP/1.1" 403 652 "http://
host.com/finder.php?row=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.8.1.3) Gecko/20070309Firefox/2.0.0.3"

I changed the firstAJAXcall to agetand itworks. The same type of
call as apostfails.

Adding xmlHttp.setRequestHeader("Content-type","application/x-www-form-
urlencoded"); did not solve the issue.

An example url that would be placed into queryString in
xmlHttp.open("Post", queryString, true) is
http://www.host.com/listing.php?brand=13&size=11.00-20&ts=1175560027602

 

[pcx99]

I'm sure you only have to set the Content-type on post requests if there
is data being sent.

Ah well, it was worth a guess.

Hmm 403. If it was 405 then it would be because he was trying to post
to a static file (not php or server-side program). With 403 he may be
running into apache's mod_security which tries to filter out some hack
attempts.

I'd disable mod_security for a few mins and try to post with it
disabled. I know a few of my articles which deal with htaccess I need
to disable mod_security to upload them through the browser and if I
forget I get a 403 error.

You can disable the code by editing .htaccess and adding the following
lines (assuming your web-host allows this).

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

After you're done either remove the lines or insert a # in front of each
line to comment it out.

 

[pcx99]

Ah well, it was worth a guess.

Hmm 403. If it was 405 then it would be because he was trying to post
to a static file (not php or server-side program). With 403 he may be
running into apache's mod_security which tries to filter out some hack
attempts.

I'd disable mod_security for a few mins and try to post with it
disabled. I know a few of my articles which deal with htaccess I need
to disable mod_security to upload them through the browser and if I
forget I get a 403 error.

You can disable the code by editing .htaccess and adding the following
lines (assuming your web-host allows this).

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

After you're done either remove the lines or insert a # in front of each
line to comment it out.

And it works in IE so it's unlikely to be an .htaccess problem.
Frustrating problem. In another post he said adding the header didn't
fix the problem. I'd still try the .htaccess change because its quick
and easy to check (assuming he's running apache), but other than that
I'm stumped (<<< usual condition).

 

[Ian Collins]

Ah well, it was worth a guess.

Hmm 403. If it was 405 then it would be because he was trying to post
to a static file (not php or server-side program). With 403 he may be
running into apache's mod_security which tries to filter out some hack
attempts.

He doesn't say which server he is using and the log didn't look like an
Apache error log.

I'd disable mod_security for a few mins and try to post with it
disabled. I know a few of my articles which deal with htaccess I need
to disable mod_security to upload them through the browser and if I
forget I get a 403 error.

It's odd, because I use these style of requests all the time and haven't
hit this error.

 

[Ian Collins]

Adding xmlHttp.setRequestHeader("Content-type","application/x-www-form-
urlencoded"); did not solve the issue.

An example url that would be placed into queryString in
xmlHttp.open("Post", queryString, true) is
http://www.host.com/listing.php?brand=13&size=11.00-20&ts=1175560027602

All I can suggest is you look at the request packets on the wire and
compare the headers sent by each browser.

 

[FMDeveloper]

All I can suggest is you look at the request packets on the wire and
compare the headers sent by each browser.

Running Apache 1.3.37 - mod_security is disabled, so I will test that
now

 

[FMDeveloper]

Running Apache 1.3.37 - mod_security is disabled, so I will test that
now

THANKS FOR ALL YOUR HELP GUYS! It does appear that mod_security on
Apache 1.3.37 will cause FireFox to return a 403 with the code sample
I provided. Disabling mod_security allows all of the posts to work.

 

[blaine]

Hey,

The guys above pointed a lot of stuff out. However since you are doing
a POST with ajax your xmlHttp.send should be the post parameters not a
null value. Even though you've specified a post your request is sent
like a get..

A proper post would be as below..

function doRequestUsingPOST() {
createXMLHttpRequest();
var postURL = "response.php";

xmlHttp.onreadystatechange = handleStateChange;
xmlHttp.open("POST", postURL, true);

//createQueryString returns something like
//name=<name>&address=<address>&variable3=<variable3> etc etc
xmlHttp.send( createQueryString() );
}