In our Vaadin 8.14.3 we have some pdfs that we are able to upload using Firefox, but fail for all users with Edge.
We see nothing in the server log, but see the response from the server is 403 Forbidden.
When I try the same in my dev environment, the upload works fine.
When I try to upload the same file in another place in the application it works!
Anyone know what the cause might be?
Why I am doing upload using sampler UI and checking network tab, I see the url
Double check yours when doing this with your production setup, since you probably have reverse proxy there and you need to check that url mapping is done correctly in proxy config etc. But in general my suspect is that something in proxy config is not right.
Our request URL looks the same, both in Edge and Firefox. Here is a failed one from Edge:
Does the url refer back to some list of upload targets that Vaadin maintains?
Does Vaadin return 403 if the entry is not found in that list?
Not sure, but you could test that manually with a bogus URL? Another thing that comes to mind is that the referrer policy handling is somehow different between the browsers.
The “log” that I have access to is in datadog, and it is supposed to contain both access log and server log. For uploads that work I see a POST request, but for those that doesn’t work I see nothing.
If datadog actually contains all requests, this should mean that the request never gets to the server. It is then blocked by something on the way. Possibly something in AWS.
I see that AWS has something called WAF (Web Application Framework)
I don’t know if we use it, but if we do, this could just be a false positive from that.
WAF = Web Application Firewall, and yes it can cause problems like this, see more
Also in addition to file uploads being blocked (which as you see can be either intentional or un-intentional), the WAF could block requests if their content is matching the filter, e.g. some JSON pattern, contains SQL statement, JavaScript. This naturally can be problem with any web framework, so the filters needs to be disabled or WAF disabled entirely for the web application. Vaadin is not the only product affected. And I think Vaadin 8 is relatively less affected than some others. And e.g. Vaadin 24 is a bit more prone to WAF problems than Vaadin 8.
Have now gotten it confirmed; The problem was AWS WAF, and in particular the SQL Injection rule.
It is still strange that it only affected (as far as I know) Chrome/Edge and some files in some parts of the application.
