Post editing > more options > blank page

gldtn

Well-known member
#1
Hello, some of my members are reporting errors when trying to edit a post and clicking on "More options". Apparently they are using chrome on windows.

Here is some screenshot they sent me:

more_opt.png more_opt_blankpage.png more_opt_blankpage_devtools.png

And refreshing the page it gives them a post error saying they can only perform such action "via post" and to go back and try again!
more_opt_refresh.png

Has anything like this been reported? I tried duplicating this error, but I couldn't neither on Windows or macOS .

Thank you!
 

Mike

XenForo developer
Staff member
#3
Have them go to the network tab in the developer tools, click the request and screenshot the "headers" tab output.

Though if you can't reproduce it on your own site, that makes it harder to rule out client issues.
 

gldtn

Well-known member
#4
Thanks @Mike, I was able to reproduce the error on chrome here is what I get after clicking more options and getting the blank page, I was only able to see something under the headers like you mentioned after hitting refresh on the blank page. Hopefully I got the right information!

Screen Shot 2016-11-20 at 11.10.26 AM.png Screen Shot 2016-11-20 at 11.10.42 AM.png Screen Shot 2016-11-20 at 11.10.52 AM.png

I just tried disabling all my add-ons via config disabling the listeners and I still get the error
 
Last edited:

gldtn

Well-known member
#5
Further more, I was able to track down the problem and it seems it' only happening when I'm linking to my own domain within a post.

My site.

If I link to any other domain it does not happen.
Xenforo.
 

Mike

XenForo developer
Staff member
#6
If I'm reading that first screenshot correctly, it's returning a 405 error, which is method not allowed. This is almost certainly mod_security or a similar server side security package hitting a false positive. Your host should be able to identify the rule in question.
 

gldtn

Well-known member
#7
I run a VPS and I have another admin that does all the config/security related stuff on there. It ended up being something related to X-XSS-Protection

add_header X-XSS-Protection "1; mode=block";

X-XSS-Protection is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.

New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.
- Security/Guidelines/Web Security - MozillaWiki
So we disabled on my site that is running Xenforo for now! Is there any way around this to keep it active on Xen.?

Thanks for the help!
 
Last edited:
Top