Post editing > more options > blank page

[gldtn]

Hello, some of my members are reporting errors when trying to edit a post and clicking on "More options". Apparently they are using chrome on windows.

Here is some screenshot they sent me:



And refreshing the page it gives them a post error saying they can only perform such action "via post" and to go back and try again!


Has anything like this been reported? I tried duplicating this error, but I couldn't neither on Windows or macOS .

Thank you!

 

[Amaury]

No issues here on XenForo Community.

Sounds like an add-on.

 

[Mike]

Have them go to the network tab in the developer tools, click the request and screenshot the "headers" tab output.

Though if you can't reproduce it on your own site, that makes it harder to rule out client issues.

 

[gldtn]

Thanks @Mike, I was able to reproduce the error on chrome here is what I get after clicking more options and getting the blank page, I was only able to see something under the headers like you mentioned after hitting refresh on the blank page. Hopefully I got the right information!



I just tried disabling all my add-ons via config disabling the listeners and I still get the error

 

[gldtn]

Further more, I was able to track down the problem and it seems it' only happening when I'm linking to my own domain within a post.

My site.

If I link to any other domain it does not happen.
Xenforo.

 

[Mike]

If I'm reading that first screenshot correctly, it's returning a 405 error, which is method not allowed. This is almost certainly mod_security or a similar server side security package hitting a false positive. Your host should be able to identify the rule in question.

 

[gldtn]

I run a VPS and I have another admin that does all the config/security related stuff on there. It ended up being something related to X-XSS-Protection

add_header X-XSS-Protection "1; mode=block";

X-XSS-Protection is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.

New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header. - Security/Guidelines/Web Security - MozillaWiki

So we disabled on my site that is running Xenforo for now! Is there any way around this to keep it active on Xen.?

Thanks for the help!