Skip to content Skip to sidebar Skip to footer
Home / Ajax / Apache / Javascript / Jquery

Http 406 Error On Javascript Ajax Post. Accept Header Set To Accept All

Post a Comment
I am getting an error from the server when I try to make an AJAX request that I cannot figure out. It is an HTTP 406 error. From what I understand this means that the server cannot

Solution 1:

The fact that you have a 406, and also the fact that this is based on the presence of the < before the word script, leads directly to a security filter in action. So mod_security and apache configuration files would be more useful than the js/php code to find the root blocking rule.

This looks like an anti-xss filter. Maybe a very simple one like:

SecFilter"<( |\n)*script"

If you can alter this mod_security configuration, then do that... or don't. It's about security. Maybe you should keep theses filter in place to protect your application for really unwanted script injections. Maybe the real solution is that your official application forms should manage communications with the server without being suspicious for mod_security. And here your POST is too much like a Cross Site Scripting attack for a tool which is only reading the stream and detect a javascript call inside.

You could for example add a base64 encoding on the POSTed value (from the js) and decode the result on the PHP side, some base64 encoding js libraries are available on github.

You could in fact apply any transformation on your data that render this data HTML-free (and Javascript-free), at least for the HTTP filtering tools. And Base64 is usually the solution, but check how the used library manage encoding of utf-8 characters, the real base64 was ascii only.

Solution 2:

I had the same issue and I will tell you how I debugged it and fixed it.

In my case I could reproduce the forbidden response by writting some very specific inline css directives (inside a style attribute in an html tag).

I analized the error log file of apache (in my case it is at /usr/local/apache/logs/error_log and filtered only by the response code I was getting.

grep406 error_log

The explanation said it was a rule by ModSecurity, this is what it said:

[Mon Jan 0213:21:10.3943762017] [:error] [pid 12827:tid139784907347712] [client 255.255.255.255] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?: (?:height|width) ?(?:=|\\\\:) ?[0-9] ?px|overflow ?: ?(?:auto|hidden)|style ?= ?\\"? ?display ?:?none ?)" at ARGS:body. [file "/usr/local/apache/conf/modsec2/30_asl_antispam.conf"] [line "174"] [id "300076"] [rev "29"] [msg "Atomicorp.com WAF AntiSpam Rules: Hidden Text Detected"] [data "height:8px"] [severity "CRITICAL"] [hostname "my.website.mx"] [uri "/index.php"] [unique_id "WGqoJqwQ25oAADIbgkcAAAGP"]

I investigated how to disable this and it turns out you can add this in a conf file:

<Location "/">
    SecRuleRemoveById 300076
</Location>

Problem solved for me. Note, if you want to disable more than one rule you can separate the ids by spaces.

You may like these posts

Post a Comment for "Http 406 Error On Javascript Ajax Post. Accept Header Set To Accept All"