Masked Domain Issue Introduced with New Update

[ital_dj]

Hi,

I'm experiencing an issue accessing my wp-admin login page, only when using a masked domain.

My root setup is configured as so:
​http://rootdomain.com/othersite/wordpress/

The domain I'm using to access it is located here:
​http://redirect.com

When I use the root domain to access the login page directly, there's no problem. But, when I go to ​http://redirect.com/wp-admin, or click on any login links while at the redirect.com site, the page doesn't load. The title bar will load, but nothing else.

This is a new issue introduced with the 3.1.3 update. The masked domain was working prior to 3.1.3.

I've tried this both on Safari & Firefox (latest versions), using Mac OS X.

[ocean90]

Any error messages in your logs? Try also ​WP_DEBUG

[ital_dj]

Replying to ocean90:

Any error messages in your logs? Try also ​WP_DEBUG

I've gotten tons of error messages with plugins enabled. However, after disabling all plugins, I receive no error. There's also no server error logs.

By clicking login using the redirect site, nothing happens. The website loading is cancelled, and I'm left at the same page. By navigating to redirect.com/wp-admin, I still receive a blank page (cancelled).

However,
I've setup another redirect via a subdomain.
This redirect is admin.redirect.com

It is an unmasked redirect, which leads directly to ​http://rootdomain.com/othersite/wordpress/wp-admin, and it loads without a problem.

[sivel]

When you refer to a 'masked' domain. What exactly are you referring to? Does that hostname have the same IP as the "root" domain? And is apache configured with a serveralias to accept both domains for that single site?

This is the way that I have it configured, and the default behavior of WP is to redirect you from redirect.com to rootdomain.com. If not by actually redirecting it will have rootdomain.com in the actual href of the link you click.

[ital_dj]

What I mean is I've got a separate domain, which I've redirected to the main site. I've redirected it with masking enabled, so that you do not see the name of the true site in your address bar.

I've checked the IP of the real site and my domain, and it appears to be different. I'll try changing the IP.

I don't believe I've made any apache configurations. If so, could you point me to some directions?

I'll tell you one thing, when I hover over any links on the WP site, it shows as the true site in the status bar, and not the redirected domain.

[sivel]

Sounds like a masked domain is really a proxy that is rewriting some things in the HTML to reflect the "masked" domain.

[ital_dj]

Replying to sivel:

Sounds like a masked domain is really a proxy that is rewriting some things in the HTML to reflect the "masked" domain.

It shouldn't be re-writing anything, should it? I don't think it's even able to...

[sivel]

To WordPress the "real" domain is the one configured in Settings->General, and it will always use that domain/hostname to build links throughout the site. If the links throughout the site are pointing to the "masked" domain then something other than WordPress has to be doing that, such as a plugin, or the proxy.

[sivel]

If it is not a proxy, but instead a iframe/frame being used to do the masking, then it is likely due to #12293 and [18013]. In which case, what you are experiencing is the intended side effect.

You can try removing this functionality to see if it is this by adding the following to a plugin:

remove_action( 'login_init',          'send_frame_options_header',     10, 0 );
remove_action( 'admin_init',                 'send_frame_options_header', 10, 0 );

[ital_dj]

Sivel,

Your code solved the issue. I had figured it was that new "clickjacking" security feature.

So how do I go about fixing this issue, whilst keeping the clickjack security enabled?

Changing the IP on that domain gives me an Apache error...

Optimally, I want all site links to hover with "​http://redirect.com" as the link. I've obviously setup my redirect in a way that Wordpress doesn't like. Do you have any suggestions?

Additionally, why would a domain redirect be using an iFrame? You'd figure it would "redirect" and not build a frame on top, wouldn't you?

Much thanks for the help so far!

(As an alternative, if this isn't easy, can we adjust the clickjacking feature to allow a specific website to "clickjack"? In this case, allow only my redirect to "clickjack"?)

[mdawaffe]

This is WordPress acting as it should.

To allow embedding within a frame, @sivel's code above works. You can potentially restrict what domains your site is allowed to be iframed inside with the ALLOW-FROM value:

X-Frame-Options: ALLOW-FROM http://redirect.com

(Though I don't know what browsers support that value.)

Since this is not a bug with WordPress, I'm closing this ticket. If this is still an issue, I suggest you either seek help for your particular situation in the community forums (​https://wordpress.org/support/) or contact your host for assistance setting up these domains correctly.

Thanks for filing this (so long ago) with us. (Please don't let the "invalid" resolution dissuade you from filing more tickets in the future - it's just the word we use :))