Bug #21822
closedGC library embedded site cross-scripting
0%
Description
We got this report from Stephen Klein at the GC Library. It seems that their site
Has this Commons site embedded in it: https://gclibrary.commons.gc.cuny.edu/
I couldn't tell where exactly at first, but it seems to be right above the footer, from my basic usage of View Source and Inspector. There is this block of code there, under two-panel section for Featured Collection and Featured Video:
<div id='news' class='news-section rss-feed row col-xxl-8 col-md-12'>
<script id="news-template" type="x-tmpl-mustache">
<h3 class='lower-header'><a href='https://gclibrary.commons.gc.cuny.edu/'>News & Views</a></h3>
<ul class='news'>
{{#items}}
<li><img src='{{image}}'/><h4><a href="{{link}}">{{title}}</a></h4><p>{{shortBodyWithDots}}</p></li>
{{/items}}
</ul>
</script>
</div>
Stephen is reporting that since the Commons migration to Reclaim the Commons site is not appearing. A message is returned:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gclibrary.commons.gc.cuny.edu/category/blog/website-front-page/feed/?fsk=5c1146bca3512. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘chineseindian.org’).
I am not seeing this, but perhaps it's only for an admin of the GC Library or GC Library Commons site?
I wanted to especially raise this because of the mention of chineseindian.org that came up on the dev call. What is that, and is it something we need to get whitelisted with GC IT or similar?
Updated by Colin McDonald 19 days ago
Sorry, trying to paste the above HTML better here:
<div id='news' class='news-section rss-feed row col-xxl-8 col-md-12'> <script id="news-template" type="x-tmpl-mustache"> <h3 class='lower-header'><a href='https://gclibrary.commons.gc.cuny.edu/'>News & Views</a></h3> <ul class='news'> {{#items}} <li><img src='{{image}}'/><h4><a href="{{link}}">{{title}}</a></h4><p>{{shortBodyWithDots}}</p></li> {{/items}} </ul> </script> </div>
Updated by Boone Gorges 19 days ago
Thanks for the report. I've passed it along to Reclaim.
Updated by Colin McDonald 19 days ago
Just wanted to coordinate on this before jumping back into the Reclaim thread. So we have this test site of the Library's that is showing the Commons embed ok:
https://gc-library.github.io/Mina-Rees-library-site
But the live version of the site is not:
I am not sure if the test site was working earlier or not. I can ask. But if the CORS fix that Reclaim made this afternoon is the solution, shouldn't the live site also be showing the embed now? Is the discrepancy between the live and test sites something we need to ask Reclaim about, or the Library about?
Updated by Colin McDonald 19 days ago
Never mind! It seems that the GC library had to do something else on their end, and the live site is the same as the test site now and they say all is well. They did ask if they should be concerned about the chineseindian.org thing and any cross scripting attacks. I moved my point about that coming up in Redmine 11 years ago to #21797, for better or worse.
Updated by Boone Gorges 19 days ago
The chineseindian.org thing is not a vulnerability. We used to have this mapped domain on the Commons, and so part of our configuration must have been set up for it. Somewhere in the transition to Reclaim, the configuration got improperly copied over.
Updated by Boone Gorges 12 days ago
- Status changed from New to Resolved
- Target version set to Not tracked