#1075 closed defect (fixed)
media attachment dialog empty
| Reported by: | Dieter Van Uytvanck | Owned by: | mail@hendrikschmeer.de |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Website | Version: | |
| Keywords: | Cc: | André Moreira |
Description
when editing https://www.clarin.eu/node/4883/edit
and trying to attach a file the dialog shown (titled "Media browser") remains blank
Change History (14)
comment:1 Changed 5 years ago by
| Status: | new → accepted |
|---|
comment:2 Changed 5 years ago by
OK I see what you mean. The issue is unrelated with #1001
I will investigate.
comment:4 Changed 5 years ago by
| Owner: | changed from André Moreira to mail@hendrikschmeer.de |
|---|---|
| Status: | accepted → assigned |
Still same for https://www.clarin.eu/node/4897/edit on Firefox 64.0.2 (64-bit) on Mac. Hendrik, when you find some time, could you take a look?
comment:5 Changed 5 years ago by
I get an access denied on the official page.
Maybe I should have proper permissions to have a real life impression.
On dev-www.clarin.eu and on my local setup I see following error messages, pointing out cross-origin issues.
Load denied by X-Frame-Options: https://stats.clarin.eu/ does not permit framing by https://dev-www.clarin.eu/node/4770/edit?destination=admin/content. SecurityError: Permission denied to access property "Drupal" on cross-origin object js_57S2RuhDbtk13XzVHsbvT7Suh3TdNfgG82Io9dBTBLc.js:218 Drupal.media.popups.mediaBrowser.mediaBrowserOnLoad https://dev-www.clarin.eu/sites/default/files/js/js_57S2RuhDbtk13XzVHsbvT7Suh3TdNfgG82Io9dBTBLc.js:218:7 dispatch https://dev-www.clarin.eu/sites/default/files/js/js_a8MyAHRjajLu6SNTDzhm_ZUhUeIq_Ao6d-T9QrOU9BI.js:4:14077 add/v.handle https://dev-www.clarin.eu/sites/default/files/js/js_a8MyAHRjajLu6SNTDzhm_ZUhUeIq_Ao6d-T9QrOU9BI.js:4:10849
Firefox 64 64bit on Xubuntu 16.04
Can anybody explain to me what is about https://stats.clarin.eu?
comment:6 Changed 5 years ago by
See https://trac.clarin.eu/wiki/InfrastructureOverview#MatomoformerlyPiwik - it is our matomo tracker.
comment:7 Changed 5 years ago by
I have tried for to follow the lead of the "cross origin" error message. But that seemed at the time a false positive. Our cross-origin policies seem well defined and no other browser reports the issue. There are some google hits for similar problems with Firefox, but I did not have the chance to explore in dept.
comment:8 Changed 5 years ago by
Hendrik, you should be able to login to the official page using your account: mail@hendrikschmeer.de . The most we could do there, is to setup a test page that you can edit. But that feels pointless since dev-www is a copy of www (~3 months old) with only the passwords altered, it is intended for cases like this.
If you think the current dev-www page is not close enough to www, just ask me and I can update the copy.
comment:9 Changed 5 years ago by
The only thing I'd like to see on www.clarin.eu, if it is the same cross origin error and I'm not barking the wrong tree. If you can just confirm that, it should be enough for me. I have an account on the main page, but cannot edit pages.
I've also seen the google hits for that problem, but haven't checked yet, if it's relevant.
comment:10 Changed 5 years ago by
| Cc: | André Moreira added |
|---|
comment:11 Changed 5 years ago by
The error message in the live environment is the same as above https://trac.clarin.eu/ticket/1075#comment:5
The GET request for loading the media-browser in an iframe is coming back with this header:
X-Frame-Options allow-from https://stats.clarin.eu/
I think, that this might be problematic, even if it is recommended advice from the Matomo docs.
This option should deny framing of the requested content in any other than the given URI, even from the same origin. This is described here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
The option allow-from is not supported in Chrome and Safari, as shown here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Browser_compatibility
Thus, Firefox behavior appears not to be a bug, but correct implementation.
So far, I have no idea, where this X-Frame-Options header is coming from nor can be changed.
André, do you have an idea?
comment:13 Changed 5 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
OK this one was easy.
According to: https://www.drupal.org/node/2735873
In /var/www/localhost/htdocs/sites/default/settings.php
I set:
$conf['x_frame_options'] = '';
instead of
$conf['x_frame_options'] = 'allow-from https://stats.clarin.eu/';
This solves the problem but I am not sure about security implications. The original state is supposed to avoid clickjacking as explained in the page linked above.
We could also try something more modern and use a CSP as suggested by Firefox and Chrome docs.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
Since the original issue is solved I am closing the ticket.
comment:14 Changed 5 years ago by
Upps, all done already :)
Yes I think, adding something like this would be wise:
Content-Security-Policy: frame-ancestors *.clarin.eu;
For MS Edge and IE Mobile, we would need to include X-Frame-Options again, as CSP is not supported there.
Drupal 8 has a module for that, but more issues seem to be ahead:
https://www.drupal.org/project/csp
Can you try this: comment:2:ticket:1001
In general will be interesting to know if the problem is similar?