PDF embeds fail in sites with subdomains for user pages

Bug #1399246 reported by Mike Kelly on 2014-12-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Mike Kelly
1.10
High
Aaron Wells
1.8
High
Aaron Wells
1.9
High
Aaron Wells

Bug Description

The PDF content block fails to render the PDF iframe in a user's View if Mahara is set up to have subdomain urls for users, e.g. http://mikekelly.mymahara.org/mikes-page

This is due to the X-Frame SAMEORIGIN rule enforced for Mahara pages. The PDF is served from the main domain, while the View page is served from the subdomain.

This does not affect group Views, or the editing interface for Views, where the user identifier subdomain part is not used in the url.

I suspect it also affect all other supported versions of Mahara?

Changed in mahara:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Mike Kelly (m-f-kelly)
milestone: none → 15.04.0
Mike Kelly (m-f-kelly) wrote :

Yes, any version which includes the clean urls and subdomains feature, and also has the PDF block. I'm not sure if there are any other content blocks featuring iFrames which will be affected?

When I came across this bug I thought that adding the main site domain to the list of allowed iFrames would fix it - it didn't unfortunately, and I haven't had a chance to look at the iFrame whitelisting mechanism. Perhaps the issue could be fixed once there instead of in every content block with an iFrame?

Reviewed: https://reviews.mahara.org/4061
Committed: http://gitorious.org/mahara/mahara/commit/31e63c6358856aa7a07e676a8c8300218386324f
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit 31e63c6358856aa7a07e676a8c8300218386324f
Author: Mike Kelly <email address hidden>
Date: Thu Dec 4 15:24:48 2014 +0000

Fix PDFs SAMEORIGIN error when using subdomains (Bug #1399246)

X-Frame SAMEORIGIN error is thrown when viewing an embedded PDF on a
user's View, if Mahara is set up to use subdomains.

This is because the current page url has the subdomain part, but the PDF
iframe does not. Group views and page editing interface are not
affected.
This patch adds the subdomain part to the iframe url, and the PDF url,
as required.

Change-Id: I7e5856d8cfcd6ac7e2df71859c1b18d3f561bfd1
Signed-off-by: Mike Kelly <email address hidden>

Aaron Wells (u-aaronw) on 2015-01-08
Changed in mahara:
status: In Progress → Fix Committed

Reviewed: https://reviews.mahara.org/4131
Committed: http://gitorious.org/mahara/mahara/commit/f215dbcae4024079f4e7a31967cb0b76633b48e9
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.10_STABLE

commit f215dbcae4024079f4e7a31967cb0b76633b48e9
Author: Mike Kelly <email address hidden>
Date: Thu Dec 4 15:24:48 2014 +0000

Fix PDFs SAMEORIGIN error when using subdomains (Bug #1399246)

X-Frame SAMEORIGIN error is thrown when viewing an embedded PDF on a
user's View, if Mahara is set up to use subdomains.

This is because the current page url has the subdomain part, but the PDF
iframe does not. Group views and page editing interface are not
affected.
This patch adds the subdomain part to the iframe url, and the PDF url,
as required.

Change-Id: I7e5856d8cfcd6ac7e2df71859c1b18d3f561bfd1
Signed-off-by: Mike Kelly <email address hidden>
Signed-off-by: Aaron Wells <email address hidden>

Aaron Wells (u-aaronw) wrote :

Since this is a non-trivial change, and it only affects sites using clean URL subdomains, I'm not going to take the risk of backporting it to 1.9 and 1.8.

But to anyone out there running a 1.9 or 1.8 site who encounters this problem, you can probably fix it by cherry-picking my patch for 1.10: https://reviews.mahara.org/4131

tags: added: cleanurls pdf subdomains
Aaron Wells (u-aaronw) on 2015-02-10
Changed in mahara:
status: Fix Committed → In Progress

Reviewed: https://reviews.mahara.org/4205
Committed: http://gitorious.org/mahara/mahara/commit/1b3237918c13158ee1f94756aeabd72dd4b53650
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit 1b3237918c13158ee1f94756aeabd72dd4b53650
Author: Mike Kelly <email address hidden>
Date: Thu Jan 22 10:46:44 2015 +0000

Fix PDFs SAMEORIGIN error when using subdomains (Bug #1399246)

Previous fix didn't work when page was viewed by third parties.
The subdomain address for the iframe needs to be derived from the page
author, not the current user.

Change-Id: Ic3669dd01fbe600ed2e9cf74b939ef96a84addca
Signed-off-by: Mike Kelly <email address hidden>

Reviewed: https://reviews.mahara.org/4266
Committed: http://gitorious.org/mahara/mahara/commit/586f6918a6659b1b4b5456427947bcd205d7742f
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.10_STABLE

commit 586f6918a6659b1b4b5456427947bcd205d7742f
Author: Mike Kelly <email address hidden>
Date: Thu Jan 22 10:46:44 2015 +0000

Fix PDFs SAMEORIGIN error when using subdomains (Bug #1399246)

Previous fix didn't work when page was viewed by third parties.
The subdomain address for the iframe needs to be derived from the page
author, not the current user.

Change-Id: Ic3669dd01fbe600ed2e9cf74b939ef96a84addca
Signed-off-by: Mike Kelly <email address hidden>

Aaron Wells (u-aaronw) wrote :

For the record, here's how to replicate this issue, if you're too lazy to set up wildcard DNS.

1. In your config.php, set "cfg->cleanurls" and "$cfg->cleanurlusersubdomains" to true.

2. Add a subdomain to your /etc/hosts file for the username "user1". For example, for a local Mahara site at the domain "mahara.test" I would put this line in /etc/hosts: "127.0.0.1 mahara.test user1.mahara.test"

3. Do a clean Mahara install.

4. Create a user with username "user1"

5. Log in as user1, create a page, put a PDF block in that page, then make the page visible to the public.

6. View the page in display mode. It will be shown with a URL like "user1.mahara.test/pagename"

Expected result: You should see the PDF content displayed in the PDF block.

Actual result: The PDF block title shows up, but you do not see the PDF content.

Changed in mahara:
status: In Progress → Fix Committed
Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers