Project

General

Profile

Actions

Bug #5319

closed

Broken URL

Added by Marilyn Weber about 8 years ago. Updated over 6 years ago.

Status:
Resolved
Priority name:
Normal
Assignee:
Category name:
-
Target version:
Start date:
2016-03-11
Due date:
% Done:

0%

Estimated time:
Deployment actions:

Description

http://brooklynwaterfront.org/wp-admin/

(Came to my attention via ZenDesk, verified by Scott " took a look at this and saw that the site is working fine, BUT the admin url is not.")

Boone, do you see a problem? Thanks!!


Related issues

Related to CUNY Academic Commons - Support #14850: brooklyn waterfront site "connection not secure"Abandoned2021-10-09

Actions
Related to CUNY Academic Commons - Support #17649: brooklynwaterfront.org problemAbandoned2023-02-09

Actions
Actions #1

Updated by Marilyn Weber about 8 years ago

Could the problem have something to do with the fact that the address is a .org rather than a commons URL?

Actions #2

Updated by Boone Gorges about 8 years ago

  • Status changed from New to Resolved
  • Target version set to Not tracked

Sorta. It appears that the brooklynwaterfront.org domain itself is not actually hosted at the Commons. It's on a different IP (50.21.188.170). That server loads a webpage that contains nothing but an iframe, and the iframe contains the content of http://bwrc.commons.gc.cuny.edu/, which is hosted on the Commons. As such, brooklynwaterfront.org/wp-admin is not a real page. For security reasons, WordPress does not allow the Dashboard to be loaded inside of an iframe.

If the admin of brooklynwaterfront.org would like to be able to administer the site under brooklynwaterfront.org/wp-admin, the domain will have to be mapped to the Commons, as per our normal procedures. Otherwise, the Dashboard is accessible via https://bwrc.commons.gc.cuny.edu/wp-admin.

Actions #3

Updated by Matt Gold about 8 years ago

Whoa. Does this set-up present any security issues?

Actions #4

Updated by Boone Gorges about 8 years ago

I don't think so. WordPress sends a same-origin header to the browser, which prevents the browser from accepting cookies from *.commons.gc.cuny.edu domains if the URL in the location bar doesn't match the *.commons.gc.cuny.edu policy. In other words, it's not possible to be logged into the Commons when the Commons is being shown in an iframe on a site with a non-Commons domain. This mitigates all the obvious security issues (cookie forgery, CSRF, etc).

Actions #5

Updated by Marilyn Weber over 6 years ago

  • Status changed from Resolved to New

This site is having problems again. Can I be added as an admin? Thanks!

Actions #6

Updated by Matt Gold over 6 years ago

FYI, the site isn't loading at all for me

Actions #7

Updated by Boone Gorges over 6 years ago

  • Assignee changed from Boone Gorges to Marilyn Weber

Marilyn, you've been added as an administrator on https://bwrc.commons.gc.cuny.edu/

As far as I can tell, the site is still configured in the way described above https://redmine.gc.cuny.edu/issues/5319#note-2. Browsers may or may not block the content of the embedded iframe, depending on security policies. I do see that the iframe code is referencing http://bwrc... rather than https://bwrc (note the 's'). It could be that changing that value will be enough to placate browser policies.

Actions #8

Updated by Boone Gorges over 6 years ago

  • Status changed from New to Resolved

Going to close this one out again. If there continue to be iframe-related problems, even after fixing HTTPS issues, then the authors may want to consider working with our team to do a standard domain mapping setup.

Actions #9

Updated by Raymond Hoh over 2 years ago

  • Related to Support #14850: brooklyn waterfront site "connection not secure" added
Actions #10

Updated by Boone Gorges about 1 year ago

Actions

Also available in: Atom PDF