Sanford, you are absolutely right: gzip was the key. If I gzip the content, all is working fine :) I learned a new, and important, thing today: thank you.
I want to say that I really appreciated everyone's help: thank you all guys. See you soon, bye! Daniele On 6 Mag, 00:38, Sanford Whiteman <[email protected]> wrote: > I'd caution you against adding/changing headers to just to make things > "match" with a working site without knowing what the headers mean. > > For one example, the correct, registered MIME type for javascript is > application/javascript (not application/x-javascript nor > text/javascript). So while playing around with headers can be useful > for troubleshooting, you do want to aim for the correct setup. > > For another, you can't just add C-E: gzip unless your server is > actually gzipping the file. > > However, the C-E difference does provide a clue. Perhaps the IPS or > other intermediate device is incapable of streaming-unzipping the > gzipped HTTP data, so it just lets it go (this area of weakness is > present in a lot of simple security software), whereas when you send > it unencoded, it attempts to scan it -- and promptly has a false > positive for malicious content. Try setting up your server to actually > gzip (it will usually add the header automatically in turn) and see > what happens. > > What I find most depressing is that the IT dept of this big company > won't even tell you what IPS rule is mis/firing. It's one thing to > "refuse to fix" -- I have done that myself when working in security -- > but to not even tell you what rule is causing the error is just > incompetent. This is a big company's main website? How important is > their web presence that they are just leaving the dev shooting in the > dark? > > -- S.
