Sanford,
you are absolutely right: gzip was the key. If I gzip the content, all
is working fine :)
I learned a new, and important, thing today: thank you.

I want to say that I really appreciated everyone's help: thank you all
guys.

See you soon, bye!
Daniele

On 6 Mag, 00:38, Sanford Whiteman <[email protected]> wrote:
> I'd caution you against adding/changing headers to just to make things
> "match" with a working site without knowing what the headers mean.
>
> For  one  example, the correct, registered MIME type for javascript is
> application/javascript      (not      application/x-javascript     nor
> text/javascript).  So  while playing around with headers can be useful
> for troubleshooting, you do want to aim for the correct setup.
>
> For  another,  you  can't  just  add  C-E:  gzip unless your server is
> actually gzipping the file.
>
> However,  the  C-E  difference does provide a clue. Perhaps the IPS or
> other  intermediate  device  is  incapable  of streaming-unzipping the
> gzipped  HTTP  data,  so  it just lets it go (this area of weakness is
> present  in  a lot of simple security software), whereas when you send
> it  unencoded,  it  attempts  to  scan  it -- and promptly has a false
> positive for malicious content. Try setting up your server to actually
> gzip  (it  will  usually add the header automatically in turn) and see
> what happens.
>
> What  I  find  most depressing is that the IT dept of this big company
> won't  even  tell  you  what IPS rule is mis/firing. It's one thing to
> "refuse to fix" -- I have done that myself when working in security --
> but  to  not  even  tell  you  what  rule is causing the error is just
> incompetent.  This  is  a big company's main website? How important is
> their  web presence that they are just leaving the dev shooting in the
> dark?
>
> -- S.

Reply via email to