WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 8 months ago

#17675 new defect (bug)

Masked Domain Issue Introduced with New Update

Reported by: ital_dj Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.1.3
Component: Administration Keywords: dev-feedback
Focuses: Cc:

Description

Hi,

I'm experiencing an issue accessing my wp-admin login page, only when using a masked domain.

My root setup is configured as so:
http://rootdomain.com/othersite/wordpress/

The domain I'm using to access it is located here:
http://redirect.com

When I use the root domain to access the login page directly, there's no problem. But, when I go to http://redirect.com/wp-admin, or click on any login links while at the redirect.com site, the page doesn't load. The title bar will load, but nothing else.

This is a new issue introduced with the 3.1.3 update. The masked domain was working prior to 3.1.3.

I've tried this both on Safari & Firefox (latest versions), using Mac OS X.

Change History (10)

comment:1 ocean903 years ago

  • Keywords reporter-feedback added; needs-patch removed

Any error messages in your logs? Try also WP_DEBUG

comment:2 ital_dj3 years ago

  • Keywords reporter-feedback removed

Replying to ocean90:

Any error messages in your logs? Try also WP_DEBUG

I've gotten tons of error messages with plugins enabled. However, after disabling all plugins, I receive no error. There's also no server error logs.

By clicking login using the redirect site, nothing happens. The website loading is cancelled, and I'm left at the same page. By navigating to redirect.com/wp-admin, I still receive a blank page (cancelled).

However,
I've setup another redirect via a subdomain.
This redirect is admin.redirect.com

It is an unmasked redirect, which leads directly to http://rootdomain.com/othersite/wordpress/wp-admin, and it loads without a problem.

Last edited 3 years ago by ital_dj (previous) (diff)

comment:3 sivel3 years ago

  • Keywords reporter-feedback added

When you refer to a 'masked' domain. What exactly are you referring to? Does that hostname have the same IP as the "root" domain? And is apache configured with a serveralias to accept both domains for that single site?

This is the way that I have it configured, and the default behavior of WP is to redirect you from redirect.com to rootdomain.com. If not by actually redirecting it will have rootdomain.com in the actual href of the link you click.

comment:4 ital_dj3 years ago

What I mean is I've got a separate domain, which I've redirected to the main site. I've redirected it with masking enabled, so that you do not see the name of the true site in your address bar.

I've checked the IP of the real site and my domain, and it appears to be different. I'll try changing the IP.

I don't believe I've made any apache configurations. If so, could you point me to some directions?

I'll tell you one thing, when I hover over any links on the WP site, it shows as the true site in the status bar, and not the redirected domain.

comment:5 follow-up: sivel3 years ago

Sounds like a masked domain is really a proxy that is rewriting some things in the HTML to reflect the "masked" domain.

comment:6 in reply to: ↑ 5 ital_dj3 years ago

Replying to sivel:

Sounds like a masked domain is really a proxy that is rewriting some things in the HTML to reflect the "masked" domain.

It shouldn't be re-writing anything, should it? I don't think it's even able to...

comment:7 sivel3 years ago

To WordPress the "real" domain is the one configured in Settings->General, and it will always use that domain/hostname to build links throughout the site. If the links throughout the site are pointing to the "masked" domain then something other than WordPress has to be doing that, such as a plugin, or the proxy.

comment:8 sivel3 years ago

If it is not a proxy, but instead a iframe/frame being used to do the masking, then it is likely due to #12293 and [18013]. In which case, what you are experiencing is the intended side effect.

You can try removing this functionality to see if it is this by adding the following to a plugin:

remove_action( 'login_init',          'send_frame_options_header',     10, 0 );
remove_action( 'admin_init',                 'send_frame_options_header', 10, 0 );

comment:9 ital_dj3 years ago

Sivel,

Your code solved the issue. I had figured it was that new "clickjacking" security feature.

So how do I go about fixing this issue, whilst keeping the clickjack security enabled?

Changing the IP on that domain gives me an Apache error...

Optimally, I want all site links to hover with "http://redirect.com" as the link. I've obviously setup my redirect in a way that Wordpress doesn't like. Do you have any suggestions?

Additionally, why would a domain redirect be using an iFrame? You'd figure it would "redirect" and not build a frame on top, wouldn't you?

Much thanks for the help so far!

(As an alternative, if this isn't easy, can we adjust the clickjacking feature to allow a specific website to "clickjack"? In this case, allow only my redirect to "clickjack"?)

Last edited 3 years ago by ital_dj (previous) (diff)

comment:10 avryl8 months ago

  • Keywords dev-feedback added; reporter-feedback removed
Note: See TracTickets for help on using tickets.