Redirecting official Notion website through custom domain shouldn't be allowed

[arinc9]

First of all, thanks for building this project. I've switched from fruition to notehost, it works well. I've had this issue on fruition where the page would scroll down when the mouse cursor moves below the center of the web page, and scroll up for above, at least on Firefox. I haven't experienced this issue on notehost, from my short time spent on going through my pages.

I see that the official content on the Notion website will be forwarded through my domain as well. Such as: https://arinc9.com/desktop

Anybody can download Notion through my website which will cause unwanted traffic through my domain. Could you prevent redirecting official Notion website through the custom domain?

[velsa]

Thanks for using the project and glad to hear that it is working well for you!

As for redirecting pages from Notion – this is the whole idea that notehost (and fruition for that matter) is built on. Custom domain hosting is achieved through reverse proxy, which forwards pages hosted on notion.so domain to your custom domain.

One solution to this is to create slugs for those 'unwanted' redirects and display your own pages (e.g. a 404 page) on those slugs.

Also, I wonder - in what scenario do you see the user manually entering a url with a non-existent slug, instead of simply following the links on your pages?

[arinc9]

Why not reverse proxy to user.notion.site instead of notion.so? That domain blocks access to Notion website paths, and pages that are not the user's. And the user.notion.site domain could be defined on src/site-config.ts.

I can't possibly create slugs to prevent all page IDs of other Notion users so I see my suggestion above a complete solution.

The scenario is malicious intent. In any case, I want to prevent serving traffic I'm not supposed to serve with my Cloudflare Worker application.

[arinc9]

@velsa were you able to investigate this?

[velsa]

Unfortunately redirecting to notion.sitedoesn't work. Notion runs some additional verification for this domain and shows captcha to the visitor.

But actually, your issue was solved, since I fixed the 404 feature, which didn't work as it was supposed to :)

Now, every time you access a non-existent slug - you will be redirected to a default or configured 404 page, which can be any Notion page! Please see the docs for configuration details.

You will need to update the notehost to the latest version (1.0.14) and redeploy your site.

[arinc9]

Unfortunately redirecting to notion.sitedoesn't work. Notion runs some additional verification for this domain and shows captcha to the visitor.

Let's track the relevant redirection the reverse proxy goes through:

$ curl https://www.notion.so/6fc896e22d3c418a95ac08ce8c8c5d07 
Moved Permanently. Redirecting to https://arinc9.notion.site/arinc9-s-Website-6fc896e22d3c418a95ac08ce8c8c5d07%                                                                                                    

So I don't understand how the behaviour with redirecting to user.notion.site instead of www.notion.so is any different than the current implementation.

That said, I did test using arinc9.notion.site and it works fine. The lines I've changed on index.js, deployed on Cloudflare Workers:

        const ret = new Response(body.replace(/arinc9.notion.site/g, domain), response);
[...]
  arguments[1] = arguments[1].replace(domain, 'arinc9.notion.site')

  if (arguments[1].indexOf('msgstore.arinc9.notion.site') > -1) {
[...]
          url.hostname = "arinc9.notion.site";

Regarding 404 redirection, I can confirm it works fine but the page IDs from other Notion workspaces will still be served. Which can be prevented with the reverse proxy connecting to user.notion.site instead of www.notion.so.

Also, with the latest version, images on the website won't load.

[gojomo]

From another perspective: serving other users' content, without conscious choice, through a notehost user's custom domain introduces lots of potential problems, risking backlash by the creators of the other content.

For example, even though such content is public, many will dislike being served (seemingly as if bulk-copied) from another domain. There's also a risk of reputational/SEO damage or legal risk to the notehost user – when it appears like their domain is serving content that doesn't match their goals/brand or perhaps even their local laws.

Even if something as bulky/awkward as a large manually-refreshed whitelist of the user's own page-IDs is required to fix, that might be essential for some users.

[velsa]

Thanks for your detailed investigation and perspectives, guys! I've added a new config option, as requested, to address this issue.

@arinc9 in your case, you can simply put

notionDomain: 'arinc9'

in the config file and redeploy with the latest version of notehost (1.0.18)

[arinc9]

Works fine, thank you very much! The issue of images not loading has also disappeared.