Hi, I was looking at some issues we were having with Google Chrome users and found that the PDF viewer built into Chrome first requests the first 1024 bytes of the PDF before displaying it. This causes it to trigger rule 958291 which leads to the request being blocked. I've confirmed this on Linux and Windows versions of Chrome.
This request seems like a perfectly valid thing to do and not in clear violation of any HTTP standards. I've setup a local override for the rule on our systems, but you may want to reconsider including it in the ruleset. Here is the request made by Chrome: GET /test.pdf HTTP/1.1 Host: test.int.danielhall.me Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Range: bytes=0-1023 If-Range: "9bc88-37563-4af884ec837c0" -- Cheers, Daniel Hall http://www.danielhall.me/ _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
