0

This is my first SO question because I honestly cannot find out the reason for this problem and it's driving me nuts because I can't do testing if I can't reconnect after the 1st failed attempt!

I have a HTML running on my local computer (localhost):

var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://hostedDomain.com/myBackendScript.php', true);
xhr.onload = function (e) {
    console.log(this.responseText);
};
xhr.send();

On the hosted server (I have no access to php.ini, .htaccess, .httpd.conf etc), myBackendScript.php is simply:

<?php
  header("Access-Control-Allow-Origin: *"); //Note: I am not asking about how to configure Access-Control-Allow-Origin
  echo "Server Response";
?>

Steps to recreate the problem:

  1. Surf to hostedDomain and it returns the index
  2. Surf to hostedDomain/myBackendScript.php and it returns "Server Response"
  3. Run the localhost html, which fails with a CORS error ("Access-Control-Allow-Origin not present, etc" "403 Forbidden" seen in the browser Console) [Note: I am not asking about how to configure Access-Control-Allow-Origin]
  4. Surf to hostedDomain no longer works (connection time-out)
  5. Switch to another network (change public IP, using same computer) - surf to hostedDomain works again
  6. Wait a couple of days and I'm able to connect to hostedDomain again.

Note: I am not asking about CORS per se or about how to configure Access-Control-Allow-Origin; I am asking about why I am unable to connect to the hostedDomain after the 1st initial failed attempt at XMLHTTPRequest and potential solutions to stop this temporary "ban".

I have a feeling it's got to do with the server configuration; but I have no idea how to proceed further...

Peter Hall
  • 53,120
  • 14
  • 139
  • 204
Em Chan
  • 1
  • 1
  • check the XHR request in your browser developer tools network tab - does it actually get that cors header? – Jaromanda X Apr 16 '17 at 01:28
  • Try using this more advanced php CORS set up http://stackoverflow.com/a/9866124/1175966 The limited access issue though is very strange – charlietfl Apr 16 '17 at 01:33
  • Also check with host. Could be some security feature that is locking you out – charlietfl Apr 16 '17 at 01:36
  • thanks @JaromandaX for the heads up on the XHR. it turns out the server was not passing the cors header – Em Chan Apr 16 '17 at 03:14
  • thanks @charlietfl . It turns out to be a server security features (explained in the answer below). – Em Chan Apr 16 '17 at 03:15

1 Answers1

0

My hostedDomain uses CPanel and has ModSecurity enabled for that domain.

Apparently, ModSecurity will detect failed XMLHTTPRequests as suspicious activity and block the IP.

My host provider has removed my blocked public IP and advised me to temporarily disable ModSecurity. Disabled ModSecurity allows me to make multiple failed XMLHTTPRequests without being blocked.

I noted that disabling ModSecurity after being blocked will not reverse the block immediately. This step requires the host provider's help.

Peter Hall
  • 53,120
  • 14
  • 139
  • 204
Em Chan
  • 1
  • 1