OK after reading this thread I was able to stop the 403 error...
But how come I have to remove these rules in any version after 4.1.1?
SecFilterSelective ARGS "(fromCharCode|http-equiv|<.+>|innerHTML|dynsrc|-->)"
SecFilterSelective ARGS "<(applet|div|embed|iframe|img|meta|object|script| textarea)"
When the same exact script & data is OK in 4.1.1?