Opened 14 years ago
Closed 9 years ago
#17675 closed defect (bug) (invalid)
Masked Domain Issue Introduced with New Update
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.1.3 |
Component: | Administration | Keywords: | dev-feedback needs-patch |
Focuses: | Cc: |
Description
Hi,
I'm experiencing an issue accessing my wp-admin login page, only when using a masked domain.
My root setup is configured as so:
http://rootdomain.com/othersite/wordpress/
The domain I'm using to access it is located here:
http://redirect.com
When I use the root domain to access the login page directly, there's no problem. But, when I go to http://redirect.com/wp-admin, or click on any login links while at the redirect.com site, the page doesn't load. The title bar will load, but nothing else.
This is a new issue introduced with the 3.1.3 update. The masked domain was working prior to 3.1.3.
I've tried this both on Safari & Firefox (latest versions), using Mac OS X.
Change History (12)
#2
@
14 years ago
- Keywords reporter-feedback removed
Replying to ocean90:
Any error messages in your logs? Try also WP_DEBUG
I've gotten tons of error messages with plugins enabled. However, after disabling all plugins, I receive no error. There's also no server error logs.
By clicking login using the redirect site, nothing happens. The website loading is cancelled, and I'm left at the same page. By navigating to redirect.com/wp-admin, I still receive a blank page (cancelled).
However,
I've setup another redirect via a subdomain.
This redirect is admin.redirect.com
It is an unmasked redirect, which leads directly to http://rootdomain.com/othersite/wordpress/wp-admin, and it loads without a problem.
#3
@
14 years ago
- Keywords reporter-feedback added
When you refer to a 'masked' domain. What exactly are you referring to? Does that hostname have the same IP as the "root" domain? And is apache configured with a serveralias to accept both domains for that single site?
This is the way that I have it configured, and the default behavior of WP is to redirect you from redirect.com to rootdomain.com. If not by actually redirecting it will have rootdomain.com in the actual href of the link you click.
#4
@
14 years ago
What I mean is I've got a separate domain, which I've redirected to the main site. I've redirected it with masking enabled, so that you do not see the name of the true site in your address bar.
I've checked the IP of the real site and my domain, and it appears to be different. I'll try changing the IP.
I don't believe I've made any apache configurations. If so, could you point me to some directions?
I'll tell you one thing, when I hover over any links on the WP site, it shows as the true site in the status bar, and not the redirected domain.
#5
follow-up:
↓ 6
@
14 years ago
Sounds like a masked domain is really a proxy that is rewriting some things in the HTML to reflect the "masked" domain.
#6
in reply to:
↑ 5
@
14 years ago
Replying to sivel:
Sounds like a masked domain is really a proxy that is rewriting some things in the HTML to reflect the "masked" domain.
It shouldn't be re-writing anything, should it? I don't think it's even able to...
#7
@
14 years ago
To WordPress the "real" domain is the one configured in Settings->General, and it will always use that domain/hostname to build links throughout the site. If the links throughout the site are pointing to the "masked" domain then something other than WordPress has to be doing that, such as a plugin, or the proxy.
#8
@
14 years ago
If it is not a proxy, but instead a iframe/frame being used to do the masking, then it is likely due to #12293 and [18013]. In which case, what you are experiencing is the intended side effect.
You can try removing this functionality to see if it is this by adding the following to a plugin:
remove_action( 'login_init', 'send_frame_options_header', 10, 0 ); remove_action( 'admin_init', 'send_frame_options_header', 10, 0 );
#9
@
14 years ago
Sivel,
Your code solved the issue. I had figured it was that new "clickjacking" security feature.
So how do I go about fixing this issue, whilst keeping the clickjack security enabled?
Changing the IP on that domain gives me an Apache error...
Optimally, I want all site links to hover with "http://redirect.com" as the link. I've obviously setup my redirect in a way that Wordpress doesn't like. Do you have any suggestions?
Additionally, why would a domain redirect be using an iFrame? You'd figure it would "redirect" and not build a frame on top, wouldn't you?
Much thanks for the help so far!
(As an alternative, if this isn't easy, can we adjust the clickjacking feature to allow a specific website to "clickjack"? In this case, allow only my redirect to "clickjack"?)
#12
@
9 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
This is WordPress acting as it should.
To allow embedding within a frame, @sivel's code above works. You can potentially restrict what domains your site is allowed to be iframed inside with the ALLOW-FROM
value:
X-Frame-Options: ALLOW-FROM http://redirect.com
(Though I don't know what browsers support that value.)
Since this is not a bug with WordPress, I'm closing this ticket. If this is still an issue, I suggest you either seek help for your particular situation in the community forums (https://wordpress.org/support/) or contact your host for assistance setting up these domains correctly.
Thanks for filing this (so long ago) with us. (Please don't let the "invalid" resolution dissuade you from filing more tickets in the future - it's just the word we use :))
Any error messages in your logs? Try also WP_DEBUG