Unable to view images in web view for private site

[reginabally]

It was reported in 3624089-zen that the user wasn't able to view the images on the app's web view when the site is set to Private. They were able to view the images when they changed the site's privacy setting to Public.

Expected behavior

I would expect to be able to view the images on the site through the web view on the app even though my site is set to Private.

Actual behavior

I wasn't able to see the images on the site when it is set to Private.

Steps to reproduce the behavior

1. Change a site (WordPress.com Simple site) privacy setting to Private at My Site > Settings > Privacy
2. Go to My Site > View Site
3. See the images on the site do not load
4. Switch the site's privacy to Public
5. Go to My Site > View Site
6. Notice the images on the site loading fine

Note: Reported and tested on WordPress.com Simple sites with custom domains.

Tested on iPhone SE, iOS 14.3, WPiOS 16.3. Reported in the ticket on iPhone 12 Pro Max, iOS 14.2, WPiOS 16.3

[startuptester]

I am not able to replicate this one in the latest beta or released build. Would you be able to make a video?

[reginabally]

Thanks for taking a look, @startuptester! Sorry, I didn't record a video when I was testing on my test site. However, when I tried to replicate this issue again, I wasn't able to reproduce anymore even when the site was switched to private.

There was another case reported in 3632385-zen with the user mentioned that they noticed the issue happens after they purchased a paid plan and registered a custom domain on a private site.

I will test this out, see if I can reproduce it again with a new test site, and report back.

[rezzap]

I was able to reproduce this and followed these steps:

1. Select a Private Site (WordPress.com) with a custom domain.
2. Click on My Site > View.
3. Notice the Images don't load.
4. Set the site to Hidden instead of private and then go back to My Site > View.
5. The images now load.
6. Set your site back to private and go back to My Site > View.
7. The images are still loading.
8. Create a new post from the browser or the app (same behaviour either way) with an image while the site is still in private mode and publish it.
9. View Post, images don't display.
10. Switch site privacy settings to Hidden.
11. View new posts by going to My Site > View or Blog Post > View, the images display.
12. Switch site private settings back to Private.
13. View Posts again and the images are still showing.

Replicated on iPhone X, iOS 14.2, WP iOS 16.3.0.7.

I tried to take a screen recording to show some of the difference. You can find it here: https://s.pvl.app/ApuGWRZy

This is most likely related to the work done in https://github.com/wordpress-mobile/WordPress-iOS/pull/15309

[startuptester]

Nicely done! Thank you! @aerych, are you able to take a look and see if it is related to #15309?

[aerych]

are you able to take a look and see if it is related to #15309?

This doesn't appear to be related. In fact, I can reproduce this same behavior in mobile safari and desktop safari. Will follow up with a dotcom team to see what's up. Pinged in p1610402471373700-slack-dotcom

Some related resources for posterity: https://wordpress.com/support/remote-login-permission/ p58i-9P5-p2 p9xfpQ-14l-p2

tl;dr: The current impression is this is another case were Apple's third party cookie security policies are creating unexpected hurtles.

[eduardozulian]

Another report in 3700597-zen.

I was not able to reproduce this on my end but now I'm wondering if disabling, although not recommended, the "Prevent Cross-Site Tracking" in Safari would work: https://www.macrumors.com/how-to/safari-ios-11-tracking-prevention/

[rezzap]

Another report of this in 3743685-zen

Disabling cross-site tracking in Safari did not help. The only thing that helps is changing the site privacy temporarily.

[kelasante]

Similar issue on 3813388-zen. Changing site privacy seems to help.

[mdrockwell]

Another here: 3853840-zen

[metabreakr]

4016318-zen

[mdrockwell]

Another here: 4023780-zen

[guarani]

Noting that this issue affects not just the My Site → View Site web view, but also other web views such as Blog Posts → View (see https://github.com/wordpress-mobile/WordPress-iOS/issues/16607#issuecomment-853036905).

[metabreakr]

24451083-hc

[eduardozulian]

Also in 4047173-zen when using a custom travel.blog address.

[SiobhyB]

Noting the conversation in p5T066-2lo-p2#comment-8707, where an audio file couldn't be viewed on a private site with a custom domain. The file could only be viewed after making the site public temporary and then making it private again. Tested WP app version 17.5.0.1, iPhone X, iOS 14.4.2.

I wasn't able to replicate on the same WP app (version 17.5.0.1), iPhone X, iOS 14.6, but noting here as it's the same issue of a file uploaded to a site's Media Library (an audio file, rather than an image in this case) not being visible.

Highlighting that there is an equivalent issue for Safari, too: https://github.com/Automattic/wp-calypso/issues/53102

[reginabally]

Another report in 4114827-zd-woothemes

[reginabally]

Another report in 4305899-zd-woothemes

[reginabally]

Another report in 4399933-zd-woothemes.

[as-esu]

zen-4359348 two sites were affected. On one of the sites the issue got fixed by settings site´s privacy settings to public and then back to private. On the other site the issue remains even after performing the same steps. The site on which issue still persist is using mapped domain name.

[metabreakr]

32895940-hc

[edwinho89]

Another reported issue in 4647745-zd-woothemes

[erricgunawan]

User first reached out on 33565646-hc

Then submitted a report: 4673033-zen

Gave them two workarounds to try:

1. Setting their site to Public, then back to Private
2. Setting their default WP.com site address to primary domain

[erricgunawan]

4754671-zen:

For some reason today, I cannot view any pictures that I have added or amended in the viewing pages. Everything is fine in the editing page. I have looked at settings and pictures that are visible are the same settings as ones that do it appear. Is there a solution?

It’s currently on private setting

[startuptester]

4754671-zen:

For some reason today, I cannot view any pictures that I have added or amended in the viewing pages. Everything is fine in the editing page. I have looked at settings and pictures that are visible are the same settings as ones that do it appear. Is there a solution?

It’s currently on private setting

cc: @tiagomar

[fluiddot]

Regarding the workaround of changing the visibility between public and private, I did a quick check and realized that it works mainly because the requests and images are cached. In fact, that explains why new images added after setting the site private aren't loaded, similar to the case outlined in https://github.com/wordpress-mobile/WordPress-iOS/issues/15596#issuecomment-757175133.

[fluiddot]

After performing a deeper exploration of the issue, here are some findings that I hope would be useful for addressing it in the future:

NOTE: I replaced the blog name with <BLOG> in order to anonymize the information.

• I created a site with the domain <BLOG>.travel.blog.
• Edited the Home page and added an Image block with a new image.
• When previewing the site, I used Safari to inspect the WebView that loads the site.
• [In Safari web inspector] Navigated to the Network tab and checked the network requests to both the site and image:
  • The request to the site https://<BLOG>.travel.blog/ included the authentication cookie and it was successful.
  • The request to the image https://<BLOG>travel.files.wordpress.com/2022/04/img_001.jpg failed with status code 403. I'd like to note that there was no cookie associated with the request, which explains why the request failed.
• [In Safari web inspector] Navigated to the Storage tab and checked the cookies:
  • There was a single cookie with the following values (sensible information has been replaced with ***) :
    • Name: wordpress_logged_in_***
    • Value: ***
    • Domain: <BLOG>.travel.blog
    • Path: /
    • Session: ✅
    • HttpOnly: ✅
    • Secure: ✅
• As a double-check, I tried to make a manual request using the same cookie to the image URL and also failed with status code 403.

My impression after investigating the issue is that the authentication cookie is only valid for requests made to <BLOG>.travel.blog. In this case, since the image is provided from a different domain (i.e. <BLOG>travel.files.wordpress.com) the same cookie can't be used. Not sure if it would be possible to have an extra authentication cookie for the other domain, maybe this would help on addressing the issue 🤔 .

As a side note, I also tried making the same request using a cookie obtained by logging into WP.com using the Safari app in the device, and in this case, the request was successful.

[twstokes]

👋 Thanks all for the great research. I believe this is happening because cross-site tracking (as mentioned earlier) is blocked, meaning the cookies won't be sent even if you have them. Disabling the setting in Safari will only fix this problem inside Safari and not the app, unfortunately.

Private *.wordpress.com sites shouldn't be affected by this issue, only mapped domains.

Possible solution A

• Use the URL that WordPress.com generates from the Posts or Pages list (Preview method A below)

Method A	Method B

If a user has a domain such as my.travel.blog, method A will generate a preview for the page or post with a URL such as mytravelblog.wordpress.com?p=123&preview=true where 123 is the page or post ID. This method succeeds because all content is loaded from *.wordpress.com and nothing is deemed "cross-site". It will also not force the redirect to my.travel.blog.

Possible solution B

• Add NSCrossWebsiteTrackingUsageDescription to Info.plist (for both WordPress and Jetpack) (source, see "Intelligent Tracking Prevention in WKWebView")
• Have the user go to the app in iOS settings and toggle "Allow Cross-Website Tracking" (they won't be prompted in the app, nor will it be enabled by default)

Then cookies will be sent to *.files.wordpress.com to load the private media.

This client-side solution feels subpar because it's scary looking and requires manual intervention by the user.

[mxhassani]

Another one here: 5574449-zen

[dcalhoun]

Referenced on previously linked issues, there are internal discussions (pMz3w-fNu-p2) and explorations (D86397-code) to remedy the high-level issue with back-end solutions, which may negate the need for client-side solutions in the WPiOS app.

[ha-un]

Another case: 28783920-hc

[laragee6]

Another case: zen-5766770 hc

[geekinthegirl]

A user who previously reported this issue came back to let us know they're still experiencing it: 5766770-zd

[tellisbethel]

I believe this is another case as well: 41679918-hc Had user change to default WordPress.com domain

[fditrapani]

This seems to be the case on 8308709-zd as well.