It turns out, it's the OWASP rules being used by mod_security on some servers, such as the DreamHost Web Application Firewall, that has a problem with some of the requests this plugin's front end code sends to its back end REST API routes.
For the font-awesome/v1/api route, OWASP doesn't seem to like seeing a POST request with the default content-type (text/plain). It also doesn't like \r or \n in the text of those queries. Removing those white space characters, and sending it as a JSON document with {query: 'query {...}'} and header content-type: application/json works.
So that REST API route should be changed accordingly.
It can continue to provide the prior functionality for compatibility when a request comes in with content-type: text/plain. Going forward, it should expect content-type: application/json, and once #216 is implemented, could pass through a JSON document that might include both the query and variables.
As indicated by #213, in any case, the content-type header expectations should be documented for that REST API route in FontAwesome_API_Controller.
It turns out, it's the OWASP rules being used by
mod_security
on some servers, such as the DreamHost Web Application Firewall, that has a problem with some of the requests this plugin's front end code sends to its back end REST API routes.For the
font-awesome/v1/api
route, OWASP doesn't seem to like seeing aPOST
request with the default content-type (text/plain
). It also doesn't like\r
or\n
in the text of those queries. Removing those white space characters, and sending it as a JSON document with{query: 'query {...}'}
and headercontent-type: application/json
works.So that REST API route should be changed accordingly.
It can continue to provide the prior functionality for compatibility when a request comes in with
content-type: text/plain
. Going forward, it should expectcontent-type: application/json
, and once #216 is implemented, could pass through a JSON document that might include both the query and variables.As indicated by #213, in any case, the
content-type
header expectations should be documented for that REST API route inFontAwesome_API_Controller
.