Fortinet black logo

Administration Guide

FAQ

FAQ

How does Support AJAX Requests in Replacement Message work?

You can enable Replacement Message for AJAX requests to respond to a AJAX request, and configure the AJAX block page message. You must enable it by going to System > Config > Feature Visibility first.

The replacement message for AJAX requests is different from the other replacement messages:

  • If Support AJAX Requests is enabled and the response Content-Type is text/html and also the response status code is 200, when FortiWeb receives responses from the backend server, it will insert two .js scripts into the HTML response:

    • ajaxhook.min.js

    • 122710291618_index.js

  • Once the clients call AJAX functions open() and send(), “122710291618_index.js” will hood the request and insert “X-FortiWeb-AJAX-BLOCK” into the request header;

  • When FortiWeb gets the request with the “X-FortiWeb-AJAX-BLOCK” header, it will record this, and then remove the “X-FortiWeb-AJAX-BLOCK” header from the request and forward the request to backend servers;

  • If both requests and responses comply with all rules on FortiWeb, there’s nothing to do and everything works fine. But if either requests or responses violate any one rule, and also FortiWeb needs to return an error page to clients, FortiWeb will insert an HTTP “X-FortiWeb-AJAX-REPONSE” header into the returned error page.

  • When clients receive AJAX responses, “122710291618_index.js” will hood the responses and check them. If there’s “X-FortiWeb-AJAX-REPONSE” in the header, the error page message will be alerted in GUI. On the contrary, no “X-FortiWeb-AJAX-REPONSE” in the header means normal response.

    So, actually even if "Support AJAX Requests" is disabled, the "AJAX block" function still works. The only problem is that it is no longer so user-friendly. That means there would be no conspicuous GUI prompt when the AJAX requests are blocked.

Can we add an exception for Replacement Message > Support JAX Requests?

There have been customer issues reporting that the target URL cannot be visited due to conflict between our injected .js scripts and the customer’s source code of the webpage. Sometimes it’s hard to locate the root cause from these customer pages or 3rd-party code.

The latest build 7.0.0 provides an enhancement that one can add a URL Access Rule or IP List to bypass the injection of such .js scripts. In this case, the AJAX block function still works, while the two .js scripts will not be injected by FortiWeb, thus the client browser will not prompt a warning message even if the AJAX request is blocked.

FAQ

How does Support AJAX Requests in Replacement Message work?

You can enable Replacement Message for AJAX requests to respond to a AJAX request, and configure the AJAX block page message. You must enable it by going to System > Config > Feature Visibility first.

The replacement message for AJAX requests is different from the other replacement messages:

  • If Support AJAX Requests is enabled and the response Content-Type is text/html and also the response status code is 200, when FortiWeb receives responses from the backend server, it will insert two .js scripts into the HTML response:

    • ajaxhook.min.js

    • 122710291618_index.js

  • Once the clients call AJAX functions open() and send(), “122710291618_index.js” will hood the request and insert “X-FortiWeb-AJAX-BLOCK” into the request header;

  • When FortiWeb gets the request with the “X-FortiWeb-AJAX-BLOCK” header, it will record this, and then remove the “X-FortiWeb-AJAX-BLOCK” header from the request and forward the request to backend servers;

  • If both requests and responses comply with all rules on FortiWeb, there’s nothing to do and everything works fine. But if either requests or responses violate any one rule, and also FortiWeb needs to return an error page to clients, FortiWeb will insert an HTTP “X-FortiWeb-AJAX-REPONSE” header into the returned error page.

  • When clients receive AJAX responses, “122710291618_index.js” will hood the responses and check them. If there’s “X-FortiWeb-AJAX-REPONSE” in the header, the error page message will be alerted in GUI. On the contrary, no “X-FortiWeb-AJAX-REPONSE” in the header means normal response.

    So, actually even if "Support AJAX Requests" is disabled, the "AJAX block" function still works. The only problem is that it is no longer so user-friendly. That means there would be no conspicuous GUI prompt when the AJAX requests are blocked.

Can we add an exception for Replacement Message > Support JAX Requests?

There have been customer issues reporting that the target URL cannot be visited due to conflict between our injected .js scripts and the customer’s source code of the webpage. Sometimes it’s hard to locate the root cause from these customer pages or 3rd-party code.

The latest build 7.0.0 provides an enhancement that one can add a URL Access Rule or IP List to bypass the injection of such .js scripts. In this case, the AJAX block function still works, while the two .js scripts will not be injected by FortiWeb, thus the client browser will not prompt a warning message even if the AJAX request is blocked.