Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Show any domains in the preview (multidomain case) #126

Open
jankout opened this issue Oct 11, 2018 · 10 comments

Comments

Projects
None yet
5 participants
@jankout
Copy link

commented Oct 11, 2018

When I'm logged over a domain, but I have multiple domains in the backend and I want to see content of another domain in the preview, nothing will show. It would be great when the preview automatically works for each domains. Otherwise it's important to be logged over the domain I want to see in the preview. But then I cannot benefit from the multidomain function a lot.

@bekanntmacher

This comment has been minimized.

Copy link
Contributor

commented Apr 23, 2019

Vorschau___www_schweizerag_com_und_Vorschau_und_Eingang__68_E-Mails__8_ungelesen__und_Transmit

@contaoacademy

This comment has been minimized.

Copy link

commented Apr 25, 2019

I suspect this is related to the header "X-Frame-Options" in Contao.

See:
contao/standard-edition#54
https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options

You can overwrite the setting normally with an entry in /app/config/config.yml
https://community.contao.org/de/showthread.php?72633-Contao4-Dieser-Inhalt-kann-nicht-in-einem-Frame-angezeigt-werden

Possibly this can also be adapted automatically by the developers.

@Toflar

This comment has been minimized.

Copy link
Member

commented Apr 25, 2019

It's not related to the X-Frame-Options. Cookies are bound to a domain so when you log in, enable the FE preview and then switch to a different domain, that cookie is not sent to the server and thus you'll be a logged out user unknown to the application. You cannot just switch domains and remain logged in.

@contaoacademy

This comment has been minimized.

Copy link

commented Apr 25, 2019

@Toflar thx

@Toflar

This comment has been minimized.

Copy link
Member

commented Apr 25, 2019

Well, the X-Frame-Options could also be an issue but we don't even get there 😄

@bekanntmacher

This comment has been minimized.

Copy link
Contributor

commented Apr 26, 2019

It's a load denied by X-Frame-Options issue.

I have now inserted these lines https://community.contao.org/de/showthread.php?72633-Contao4-Dieser-Inhalt-kann-nicht-in-einem-Frame-angezeigt-werden&p=487611&viewfull=1#post487611 into the config.yml. now it works.

  1. now I have no idea what I have exactly configured
  2. many others with multidomain installation probably have the same problem (depending on host configuration)

hypothetically:

  • Probably more and more hosters will follow suit and turn on X-frame options.
  • per header X-Frame-Options: ALLOW-FROM https://example.com/ only one domain can be defined (no use for multidomain). And I have not found a switch-off function.
  • are we prepared for the future with the iframe preview?

and moreover:
If cookies are bound to a domain (forced) as @Toflar said: don't we have a general problem with the preview in combination with a multidomain installation?

@Toflar

This comment has been minimized.

Copy link
Member

commented Apr 26, 2019

Well, of course it's an X-Frame-Options issue if you want to embed the site in an iframe like the FE preview does. What I was saying is that even if we did allow that, yes you could embed a page in the iframe but the FE preview (meaning "show hidden items") would still not work because you're not logged in on that page.
Speaking of the iFrame preview: It's planned to abandon this anyway and replace it by some JS toolbar instead.

If cookies are bound to a domain (forced) as @Toflar said: don't we have a general problem with the preview in combination with a multidomain installation?

Yes, we do. But that's nothing new, it's the way cookies worked since they were first specified in 1997 😄

@bekanntmacher

This comment has been minimized.

Copy link
Contributor

commented Apr 29, 2019

Well, of course it's an X-Frame-Options issue if you want to embed the site in an iframe like the FE preview does. What I was saying is that even if we did allow that, yes you could embed a page in the iframe but the FE preview (meaning "show hidden items") would still not work because you're not logged in on that page.

Yes that's clear. I thought we were one step further because we moved the error from the browser to the contao and maybe there's the possibility to display an error template e.g. "to use the preview please log in".

1997! I can't know that, it was before our foundation... 😄

@leofeyer

This comment has been minimized.

Copy link
Member

commented May 19, 2019

We have discussed this topic at the Contao Camp 2019. Our idea was to use an Open ID like token to log in a user on all existing domains by sending Ajax requests either when a user logs in or when a user first opens the preview.php route.

If we go for the login variant, the back end login screen would show a "log in on all domains" checkbox and a "you are being logged in" screen which is shown while the Ajax login requests are running. This would also require a logout screen with a "you are being logged out" message, which is shown while the Ajax logout requests are running.

If we go for the preview.php variant, we could show a screen on which the user can select the domains they want to be logged in or we would simply show the "you are being logged in" message before eventually redirecting to the page to be previewed.

@contaoacademy

This comment has been minimized.

Copy link

commented May 20, 2019

back end login screen would show a "log in on all domains" checkbox

The checkbox should only appear if more than 1 domain is active.

@leofeyer leofeyer added feature and removed up for discussion labels Jun 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.