2013/10/06

Cross domain file uploads in CKEditor

In version 3.4 of the SimpleUploads plugin I've added support to upload files across domains based on the CORS spec.

If you don't use multiple domains (one server for the uploaded files and another for the editing page) then this change shouldn't affect you. Otherwise you can enable this feature by modifying your uploader to send just two headers in response to an OPTIONS request.
Some simple PHP code:
if (isset($_SERVER["HTTP_ORIGIN"])) {
 // You must verify that the origin domain is on your white-list
 header('Access-Control-Allow-Origin: https://admin.example.com');
 header('Access-Control-Allow-Credentials: true');
}
if ($_SERVER['REQUEST_METHOD']=='OPTIONS')
 exit(0);
  • First: check if the browser has sent an Origin header. That means that it's a cross domain request. You can check that domain with the list of domains that you want to allow. The usual behavior is to send back a fixed origin header like
    header('Access-Control-Allow-Origin: https://admin.example.com');
  • Second: Send an Access-Control-Allow-Credentials header specifying that the browser is allowed to make a request that will use the credentials of the user at this domain. This means that if the user is logged in, the browser will send the cookies required to allow you check his/her identity.
  • Last: as the OPTIONS request doesn't require more data in the response you can stop any further processing here. After this first request the browser will upload the file and you must send back again the two Access-Control headers as shown in the sample code.
You must be careful if you want to allow this feature, after all it opens the possibility of another attack vector.
If you're hosting the files in the same physical server, you might be able to get the same functionality by modifying just the URL that it's returned after you upload a file and keeping all your code in the admin.example.com domain.

Updating some plugins

Today I've been working on some issues on plugins for CKEditor.

As I've stated previously, I don't like Github, but I'm forced to use it and when people uses things that they don't like it's obvious that things are slower than when they are happy.

I'm always afraid that if I try to do things I'll have to waste a lot of time recreating again the branch, it will spit out errors saying that it can't merge and that I have to use the command line. I've been using Beyond Compare for so long that merging things on the command line seems like an impossible task to me and I don't want to learn the github commands because that's not my daily job and even if I waste time to learn them for one task, by the time that I have to use them again I will have forgotten everything about them.

So if you see that "I'm ignoring" your patch, the reason might be simply that I don't have the time and energy to fight against Github.

The first patch was a simple one-liner by bfavors on the configuration helper plugin.

First of all, thank you.

But please, next time try to provide more info to quickly understand how I should test to check the bug, the browser, some simple code that shows how to load the editor. There are so many options that without more info my first thought is "Ok, now I have to guess out how to reproduce that bug!" :-(

If you provide such simple patch and also a simple testcase it's really easy to test that and verify that it was broken and now it works. Otherwise I might think that I'll have to spend a lot of time like it usually happens with bugs in CKEditor.

Then I've been reviewing the suggested changes to the "background image" plugin.

Some months ago OFark provided a patch to add support for background-repeat and background-position, but after merging those changes I faced some issues and moved to do other things, creating a branch so that the code doesn't get lost.

More recently LazyHammer did provide a new patch and this time things looked better, so I've been checking that a little and although it is still not perfect (for example it leaves garbage styles after removing the background image on the table) it worked well enough for most of the people, so I've uploaded version 1.4

If you are interested in a plugin and there's something that you want to improve, please create a patch and I'll try to review it.
The better it works and the more info about what's the original problem, the faster the review :-)