Show any domains in the preview (multidomain case)

[jankout]

When I'm logged over a domain, but I have multiple domains in the backend and I want to see content of another domain in the preview, nothing will show. It would be great when the preview automatically works for each domains. Otherwise it's important to be logged over the domain I want to see in the preview. But then I cannot benefit from the multidomain function a lot.

[bekanntmacher]

[contaoacademy]

I suspect this is related to the header "X-Frame-Options" in Contao.

See:
contao/standard-edition#54
https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options

You can overwrite the setting normally with an entry in /app/config/config.yml
https://community.contao.org/de/showthread.php?72633-Contao4-Dieser-Inhalt-kann-nicht-in-einem-Frame-angezeigt-werden

Possibly this can also be adapted automatically by the developers.

[Toflar]

It's not related to the X-Frame-Options. Cookies are bound to a domain so when you log in, enable the FE preview and then switch to a different domain, that cookie is not sent to the server and thus you'll be a logged out user unknown to the application. You cannot just switch domains and remain logged in.

[contaoacademy]

@Toflar thx

[Toflar]

Well, the X-Frame-Options could also be an issue but we don't even get there 😄

[bekanntmacher]

It's a load denied by X-Frame-Options issue.

I have now inserted these lines https://community.contao.org/de/showthread.php?72633-Contao4-Dieser-Inhalt-kann-nicht-in-einem-Frame-angezeigt-werden&p=487611&viewfull=1#post487611 into the config.yml. now it works.

1. now I have no idea what I have exactly configured
2. many others with multidomain installation probably have the same problem (depending on host configuration)

hypothetically:

• Probably more and more hosters will follow suit and turn on X-frame options.
• per header X-Frame-Options: ALLOW-FROM https://example.com/ only one domain can be defined (no use for multidomain). And I have not found a switch-off function.
• are we prepared for the future with the iframe preview?

and moreover:
If cookies are bound to a domain (forced) as @Toflar said: don't we have a general problem with the preview in combination with a multidomain installation?

[Toflar]

Well, of course it's an X-Frame-Options issue if you want to embed the site in an iframe like the FE preview does. What I was saying is that even if we did allow that, yes you could embed a page in the iframe but the FE preview (meaning "show hidden items") would still not work because you're not logged in on that page.
Speaking of the iFrame preview: It's planned to abandon this anyway and replace it by some JS toolbar instead.

If cookies are bound to a domain (forced) as @Toflar said: don't we have a general problem with the preview in combination with a multidomain installation?

Yes, we do. But that's nothing new, it's the way cookies worked since they were first specified in 1997 😄

[bekanntmacher]

Well, of course it's an X-Frame-Options issue if you want to embed the site in an iframe like the FE preview does. What I was saying is that even if we did allow that, yes you could embed a page in the iframe but the FE preview (meaning "show hidden items") would still not work because you're not logged in on that page.

Yes that's clear. I thought we were one step further because we moved the error from the browser to the contao and maybe there's the possibility to display an error template e.g. "to use the preview please log in".

1997! I can't know that, it was before our foundation... 😄

[leofeyer]

We have discussed this topic at the Contao Camp 2019. Our idea was to use an Open ID like token to log in a user on all existing domains by sending Ajax requests either when a user logs in or when a user first opens the preview.php route.

If we go for the login variant, the back end login screen would show a "log in on all domains" checkbox and a "you are being logged in" screen which is shown while the Ajax login requests are running. This would also require a logout screen with a "you are being logged out" message, which is shown while the Ajax logout requests are running.

If we go for the preview.php variant, we could show a screen on which the user can select the domains they want to be logged in or we would simply show the "you are being logged in" message before eventually redirecting to the page to be previewed.

[contaoacademy]

back end login screen would show a "log in on all domains" checkbox

The checkbox should only appear if more than 1 domain is active.

[aschempp]

I wonder if this is kinda solved in 4.9? If you open a preview URL of a separate domain, you‘re now forced to log in to the back end, so preview works „automatically“. Thanks to the new preview bar, theres no frame issue anymore.

[leofeyer]

I think so, too.