Within our CMS, previews of an article which contains a HTML5 embedded (mp4), causes the video to being blocked by following rule in mod_security. It gives a 403 forbidden message in the console:
This rule compares the first and second byte ranges and flags when the first value is greater than the second.
-=[ References ]=-
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
http://seclists.org/fulldisclosure/2011/Aug/175
3. Identifies an excessive number of byte range fields within one request
Currently our development environment is not configured with mod_security, so I need to resolve this by deploying code onto the acceptance server, so understand I'm trying to avoid trial and error.
Should I be using either:
<cfheader name="Accept-Ranges" value="">
or
<cfheader name="Content-Range" value="">
And how is it best to calculate the 'range' or just 'length'? The temptation is to stick a wildcard * in there.
I've read about a potential solution here ColdFusion - how to set Content-Length header , but it doesn't sound foolproof.
