AWS WAF (Web Application Firewall) Blocks Valid Requests

Problem

Some valid requests from Oxygen XML Web Author (for example, switching between Text and Author modes or editing attributes that contain relative paths such as href="../images/example.png") are blocked by AWS with WAF (Web Application Firewall) managed rules enabled.

Cause

Certain rules in the AWSManagedRulesCommonRuleSet (in particular, SizeRestrictions_BODY, GenericLFI_BODY, and GenericRFI_BODY) may trigger false positives when Web Author sends requests or payloads that match their patterns (e.g. URLs with relative paths or certain body sizes) and thereby these valid requests are incorrectly blocked.

Solution

In your Web ACL configuration in AWS WAF, locate the rules listed above and set them to “Override to Allow” to prevent them from blocking these valid requests from Web Author.