WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 2 years ago

#17990 closed defect (bug) (fixed)

WP Importer blank due to X-Frame Options

Reported by: GaryJ Owned by: duck_
Milestone: 3.3 Priority: normal
Severity: normal Version: 3.2
Component: Import Keywords:
Focuses: Cc:

Description

WP 3.2, Chrome 12 on Win7.

When trying to add the WordPress Importer, the thickbox is coming up blank - Chrome console gives the error as:

Refused to display document because display forbidden by X-Frame-Options.

In short, the importer can't be installed by the usual method.

Probably related: #12293

Change History (10)

comment:1 nacin3 years ago

You have some odd domain mapping or URL-changing settings enabled?

comment:2 GaryJ3 years ago

I've got WP MS running - due to the way Plesk on my host works, I have to run what would usually be a wildcard subdomain as a domain alias instead, but I've done that for other WP MS installs pre-3.2, and never had an issue with getting the Importer installed that I remember.

Saying that, the thickbox does appear populated when trying to install the Importer from the root network site.

comment:3 follow-up: nacin3 years ago

So, we decided to go with X-Frame-Options: SAMEORIGIN without any special handling, rather than DENY with handling to avoid IFRAME_REQUEST pages.

I think an exception for IFRAME_REQUEST wouldn't be a bad idea, considering how many people use various forms of domain mapping. That said, this is a very very edge case.

comment:4 trepmal3 years ago

I'm running into the same problem as GaryJ

I'm using MediaTemple's (ve) service which as far as I can tell requires the ServerAlias method to get wildcard subdomains to work. However, I'm by no means a server guru, so I may very well have set up something incorrectly.

comment:5 in reply to: ↑ 3 duck_3 years ago

  • Keywords needs-patch added

Replying to nacin:

I think an exception for IFRAME_REQUEST wouldn't be a bad idea, considering how many people use various forms of domain mapping. That said, this is a very very edge case.

We don't want to exempt IFRAME_REQUEST for security reasons.

This isn't limited to domain mapping, but also occurs on subdomain setups when trying to install from off of the main site.

Should probably run a check to prevent installation and do something different on multisite when not on the main site.

comment:6 nacin3 years ago

  • Milestone changed from Awaiting Review to 3.2.2

Should probably run a check to prevent installation and do something different on multisite when not on the main site.

Yep.

comment:7 duck_3 years ago

  • Owner set to duck_
  • Resolution set to fixed
  • Status changed from new to closed

In [18535]:

Direct a user to the main site to install importers, fixes #17990

comment:8 duck_3 years ago

  • Keywords needs-patch removed

Reopening for 3.2.2 consideration.

comment:9 duck_3 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:10 ryan2 years ago

  • Milestone changed from 3.2.2 to 3.3
  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.