You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug with a clear and concise description of what the bug is.
My webhost offers the mod_security web application firewall using a combination of the OWASP core ruleset and their own home-grown rules. I recently discovered that I could not reply from GoToSocial to my WordPress blog using the ActivityPub plugin. The GTS logs turned up a 418 error, which is what my host uses for requests blocked by mod_security. Looking at my web server logs, I found that it was tripping the following rules from core ruleset file REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Illegal Accept header: charset parameter for application/ld+json; profile=\\x22https://www.w3.org/ns/activitystreams\\x22,application/activity+json
Illegal Content-Type header for application/ld+json; profile=\\x22https://www.w3.org/ns/activitystreams\\x22
Request content type is not allowed by policy for |application/ld+json|
Federation of replies failed to reach the other server.
What you expected to happen?
The reply should have shown up in my WordPress dashboard.
How to reproduce it?
Run WordPress with the ActivityPub plugin on a DreamHost server with mod_security enabled (or any other Apache server running mod_security with the core ruleset) and try to reply to a post from a GoToSocial server.
After turning mod_security off, replies federate successfully to the WordPress blog.
The text was updated successfully, but these errors were encountered:
Anyway, I don't know if this is something better to change here, or submit as a change request to the ruleset maintainers, or just mark as a known issue.
Thanks. I wasn't familiar with the profile parameter, but I read up on it a bit and reported the false positive to the ruleset project. Along with a request to add application/ld+json to the default list of allowed types.
Alright, sounds good. I'm going to mark it as "closed" here since it's not something we ought to be changing on our side; everything we're doing is very much by-the-book ActivityPub stuff with regard to headers. Nevertheless, thanks for opening this here so it's searchable for folks running into the same issue :)
Describe the bug with a clear and concise description of what the bug is.
My webhost offers the mod_security web application firewall using a combination of the OWASP core ruleset and their own home-grown rules. I recently discovered that I could not reply from GoToSocial to my WordPress blog using the ActivityPub plugin. The GTS logs turned up a 418 error, which is what my host uses for requests blocked by mod_security. Looking at my web server logs, I found that it was tripping the following rules from core ruleset file REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Illegal Accept header: charset parameter for
application/ld+json; profile=\\x22https://www.w3.org/ns/activitystreams\\x22,application/activity+json
Illegal Content-Type header for
application/ld+json; profile=\\x22https://www.w3.org/ns/activitystreams\\x22
Request content type is not allowed by policy for
|application/ld+json|
Relevant log entries:
What's your GoToSocial Version?
0.13.1
GoToSocial Arch
x86_64, docker on Alpine
What happened?
Federation of replies failed to reach the other server.
What you expected to happen?
The reply should have shown up in my WordPress dashboard.
How to reproduce it?
Run WordPress with the ActivityPub plugin on a DreamHost server with mod_security enabled (or any other Apache server running mod_security with the core ruleset) and try to reply to a post from a GoToSocial server.
After turning mod_security off, replies federate successfully to the WordPress blog.
The text was updated successfully, but these errors were encountered: