To add the allow list for the AJAX Request:
- Go to Web Protection > Advanced Protection > Man in the Browser Protection, select the Man in the Browser Protection Rule tab, select the MiTB rule you want to edit, then click Edit. See this topic to add the MiTB rule if you have not yet added one.
It's recommended to put the user input fields and the AJAX requests into different rules, because the POST URL for them is usually not the same.
The AJAX request rule only checks the Request URL, and it doesn't involve POST URLs, so the POST URL of the AJAX request rule should be set as "/*" to match any URLs.
- In the Allowed External Domains for AJAX Request section at the bottom part of the page, click Create New.
- Enter the address of the external domain. If the user's browser sends AJAX request to an external domain which is not in the domain list you have entered, FortiWeb will take actions (alert, or alert & deny) according to your configuration in the MiTB rule. Please note that the domain name should start with "HTTPs://" if it is an HTTPS domain.
- Click OK.