Bug #4388
openRepeated request for authentication.
0%
Description
Hi, I'm building a site on the Commons, and when I click on a page or refresh one, a pop-up asking for authentication interrupts the work, often making me click OK up to 8-10 times. (It doesn't go away if I click Cancel, either). I can't tell whether this is Commons-wide or related to my account or theme, although it did not happen when I used a different Commons site yesterday
My site is not public yet, but the URL is amcmichael.commons.gc.cuny.edu and the theme is Make. I've had this problem repeatedly over the last couple of weeks. (See the attached screenshot for the pop-up box that I get).
Thank you.
Best,
Alice Lynn
Files
Updated by Matt Gold over 8 years ago
- Status changed from New to Assigned
- Assignee set to Boone Gorges
Updated by Boone Gorges over 8 years ago
- Category name set to WordPress (misc)
- Assignee changed from Boone Gorges to Raymond Hoh
Possibly related: #4315
Ray, I'm finding that I'm unable to reproduce this - would you mind clicking around to see if you can?
Updated by Alice.Lynn McMichael over 8 years ago
An addendum: I'm only having this problem in Firefox (not Chrome), but I'm not having it on any other sites.
Updated by Raymond Hoh over 8 years ago
I am not able to reproduce the prompt on Firefox.
Boone, it might have something to do with the WP customizer and SSL, but it's just a guess on my part at the moment.
Alice, how are you encountering this prompt? Does it occur when you are attempting to customize the site from the frontend by clicking on "Alice Lynn McMichael > Customize"? If you could jot down the steps it takes to replicate the prompt, that would be great.
Updated by Alice.Lynn McMichael over 8 years ago
Hi, Raymond.
I'm getting the message in a box that drops down from the browser when I click on pages in the back-end of my WP site. For instance, just now I was viewing the Research page and clicked "Edit page" in the black menu bar at the top, and the box dropped down.
I've tried downloading a new version of Firefox, logging out of the Commons, checking and unchecking the "Remember Me" box on the WP page that says only admins can view the site. None of these have stopped or reduced the number of times I see the message.
Thanks.
Updated by Matt Gold over 8 years ago
Alice Lynn, are you getting this on a single computer or multiple computers? If the former, have you changed security settings and/or your system clock recently?
Updated by Boone Gorges over 8 years ago
I managed to reproduce this. It appears to be linked specifically to post.php, when running the Make theme, and when visiting the site with Firefox.
I've spent a few hours trying to figure out the issue. I'm running up against a wall, and I'm hoping I can hand it over to Ray to get a fresh set of eyes on it. Here's what I think is happening:
- The assets that are being blocked are all CSS files of one sort or other: admin-ajax.php?action=ttfmake-css, wp-content.css, dashicons.min.css. Further, I think they're all font-related.
- There seems to be a known issue where Firefox is particularly strict about the way CSS fonts are loaded across domains. See http://www.cssbakery.com/2010/07/fixing-firefox-font-face-cross-domain_25.html
- In this case, we're not really loading across domains. The problem seems to occur only in the context of the iframes that Make creates on post.php, which are then used to house TinyMCE instances. Make does a trick where it grabs WP's tineMCEPreInit variable, fishes the CSS paths out of it, and then builds `<link>` elements to inject into each iframe. See wp-content/themes/make/inc/builder/core/js/app.js, especially oneApp.initFrame and oneApp.getFrameHeadLinks. Something is happening when the iframe content loads that's triggering FF's strict access policy, though I can't quite figure out what that is.
I messed around with a few possible solutions. One involved setting a custom Access-Control-Allow-Origin for the problematic files in our .htaccess. I think this could probably work, though it seems quite arbitrary, and only addresses the symptom rather than the root problem. I also played a bit to see if forcing the link URLs to http or https (or //) would solve the problem, but I came up against a dead end there. We can also tell Make users to configure FF to be more permissive about CORS, but this seems like a last resort.
Ray, if you can manage to reproduce this problem based on the description above, would you mind spending a bit of time thinking about it?
Updated by Raymond Hoh over 8 years ago
Boone, how do you trigger the prompt when editing the Research page? Do I have to click on a specific button or setting?
Updated by Boone Gorges over 8 years ago
Just loading the page brings up the prompts for me. Clear your cache, then look at the "net" tab in your browser console while loading and see if any assets are 401ing or 403ing.
Updated by Alice.Lynn McMichael over 8 years ago
Thanks for the updates, Boone and Raymond. From my end, I spent some time trying all sorts of variations on my Firefox history, Privacy, and Security settings, to no avail. Is this something I should also be reporting to the Make theme developers, or does it seem to be Commons-specific?
Thanks.
Updated by Raymond Hoh over 8 years ago
- File 2015-08-10_134054.png added
Alice, I've added some code to prevent the prompt from showing. Please test editing a page on your site and see if you still encounter the dialog window. You might need to purge your browser cache as well.
Boone, see commit fbc22e3.
I've added the 'sandbox' attribute where the Make theme inserts an <iframe>. Since Make is injecting CSS and other stuff into these iframes for TinyMCE purposes, we have to explicitly set the iframe to 'sandbox="allow-same-origin"' to prevent Firefox from going CORS-crazy.
I've tested this on production and it appears to suppress the authorization prompt, but the browser network logs still show a 401 response in some instances. Not sure why.
I've pushed the commit to 1.8.x branch, but not master yet. However, the code is live for testing to get some feedback.
Updated by Boone Gorges over 8 years ago
- Target version set to Future release
Thanks, Ray. I guess I was on the right track with FF/CORS. I was not aware of the 'sandbox' property of iframes.
I'm guessing - though I haven't tested this yet - that the problem is arising in our instance because of the URL mismatch caused by using FORCE_SSL_ADMIN when home_url is http://. Or maybe SSL is a red herring, and Firefox would throw these notices no matter what. Either way, it seems like a bug in Make, right? Are we feeling good enough about our diagnosis to report it to the people at The Theme Foundry?
Alice Lynn, please do let us know if Ray's changes have caused the authentication popups from appearing.
Updated by Raymond Hoh over 8 years ago
I'm guessing - though I haven't tested this yet - that the problem is arising in our instance because of the URL mismatch caused by using FORCE_SSL_ADMIN when home_url is http://. Or maybe SSL is a red herring, and Firefox would throw these notices no matter what.
According to the "Network" tab, all our assets are running in HTTPS, so that shouldn't be a problem. But, I was also suspecting it could have been a SSL issue yesterday.
Either way, it seems like a bug in Make, right?
I would say it's more of a Firefox thing since this only occurs in Firefox. Does this make Firefox more secure? Perhaps.
Another thing to note is Firefox 40 does somewhat address this issue as well - "HTTP auth dialog can no longer be triggered by cross-origin resources":
https://developer.mozilla.org/en-US/Firefox/Releases/40/Site_Compatibility#sect10
I just tested in Firefox 40 and the IFRAME sandbox attribute is still needed, otherwise the auth prompt still shows up.
Are we feeling good enough about our diagnosis to report it to the people at The Theme Foundry?
I'm feeling better about the fix, but I'll wait until Alice Lynn can verify that the prompt no longer shows up before submitting a pull request to Theme Foundry.
Updated by Alice.Lynn McMichael over 8 years ago
I just spent some time on the site and had slightly different results with the authentication request--I got it only on one page (and I got the request only once each time I clicked on the page, instead of 8-12 times as I did before).
Here's where I got the request:
From the dashboard, I clicked View Site.
From the Research page (front end), I clicked Edit Page and got the authentication request once.
I repeated this with all the other pages, and it only happened on the Research page. I also got the authentication request again when I repeated those steps on the Research page.
Updated by Raymond Hoh over 8 years ago
Thanks for reporting back, Alice Lynn.
I have verified that I still see the prompt, but only sparingly when editing the "Research" page, not all the time.
Can you try upgrading to Firefox 40 and deleting your browser cache to see if that helps?
I repeated this with all the other pages, and it only happened on the Research page. I also got the authentication request again when I repeated those steps on the Research page.
When I was debugging the problem yesterday, I also forgot to mention that the prompt only showed up when editing the "Research" page and not other Make pages like "Projects" or "Landing".
Boone, there must be something else on the Research page that is triggering this. My only guess at the moment is due to the number of columns being loaded on the "Research" page. However, some columns are able to load all the CSS and webfonts without the 401 errors...
Updated by Alice.Lynn McMichael over 8 years ago
Hi, Raymond.
I updated to Firefox 40 and cleared the cache but still got the authentication message again (several times) after clicking from the Research page (front-end) to its Edit Page back-end.