Mod Security ....you may need to consider a move to a VPS...
Thank you jeff, but 1) is the previous .htaccess post not an accurate test for mod_security? and 2) as mentioned, "limited access" as a third party to this client. One of those situations requiring diplomacy. If I contact the host, the client gets the response, and says to second party, "what's wrong with my site . . . " So I need to be very sure before this goes to the next level.
Can you show us all the accept headers?
With invalid checked, edited the domain and cookie line only.
GET /test.html HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/20100401 Firefox/3.6.3
Cookie: [removed, from a different site open in another tab]
HTTP/1.1 200 OK
Date: Thu, 17 Jun 2010 18:42:41 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/22.214.171.12435
Keep-Alive: timeout=5, max=100
Though it's likely irrelevant, contents of "test.html" and the same file used in the .htaccess test above.
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<p>this means mod security is NOT enabled</p>
I'd bug the folks at the W3, but I imagine they would shrug and say "your client's server is serving a 406, donno what ta' tell ya' . . . "