search

statamic / cms

The core Laravel CMS Composer package
https://statamic.com
Other
3.71k stars 508 forks source link

Live Preview doesn't work when site domains are different #6536

Closed edalzell closed 2 years ago

edalzell commented 2 years ago

Bug description

Trying to Live Preview site 2 content from site 1 CP, shows a blank screen with this error:

Not sure if this is an actual bug. To fix, we'd have to update the DataResponse to add a header when live-preview is in the query string:

Content-Security-Policy "frame-src https://site1.com https://site2.com;"

How to reproduce

Steps:

Logs

No response

Environment

Environment
Application Name: Alaska PAC
Laravel Version: 9.25.1
PHP Version: 8.1.9
Composer Version: 2.4.0
Environment: local
Debug Mode: ENABLED
URL: alaskapac.test
Maintenance Mode: OFF

Cache
Config: NOT CACHED
Events: NOT CACHED
Routes: NOT CACHED
Views: CACHED

Drivers
Broadcasting: log
Cache: redis
Database: mysql
Logs: stack / daily, front
Mail: smtp
Queue: redis
Session: file

Statamic
Addons: 17
Antlers: runtime
Version: 3.3.29 PRO

Statamic Addons
aryehraber/statamic-captcha: 1.8.0
aryehraber/statamic-uuid: 2.1.0
doublethreedigital/duplicator: 2.3.1
edalzell/forma: 1.2
jacksleight/statamic-bard-mutator: 1.1.1
jacksleight/statamic-bard-texstyle: 1.0.3
jonassiewertsen/statamic-external-link: 1.6.0
jonassiewertsen/statamic-livewire: 2.9.0
statamic/seo-pro: 3.1.0
swiftmade/statamic-clear-assets: 1.1.0
transformstudios/events: 4.0.6
transformstudios/front: 1.10
transformstudios/gated: dev-main
transformstudios/magic-link: dev-main
transformstudios/review: 3.3.2
transformstudios/simple: dev-main
transformstudios/takeover-redirects: dev-main

Installation

Fresh statamic/statamic site via CLI

Antlers Parser

runtime (new)

Additional details

No response

ryanmitchell commented 2 years ago

It looks to me like your site 2 is explicitly not allowing embedding or remote loading of content for security, which is good practice. And so to get live preview working you need to explicitly allow it. I wouldnt see this as a Statamic bug.

jasonvarga commented 2 years ago

I'm not sure that this needs to be in the core. You can create a middleware that adds the header you mentioned. I think you might need to use frame-ancestors instead though.

Content-Security-Policy "frame-ancestors https://site1.com/ https://site2.com/;"
edalzell commented 2 years ago

It looks to me like your site 2 is explicitly not allowing embedding or remote loading of content for security, which is good practice. And so to get live preview working you need to explicitly allow it. I wouldnt see this as a Statamic bug.

The only argument I have against is that folks w/ multi-sites on different domains will think that Live Preview is broken, which is a poor experience.

Swennet commented 9 months ago

@jasonvarga We just ran into this issue on one of our client's sites, and I agree this should be in core. Having different domains in a multi-site is a core feature, so why wouldn't including the right CSP headers automatically be?

Can this be re-opened?