Cms: Multisite Live Preview : Access Control Allow Origin Error
Description
I am getting a 400 response error when using live preview with a multi site setup. The error does not occur if the user is logged into the CMS through the same url of the site. Explanation that might make better sense:
Domains:
Tesla (Front end facing site)
SpaceX (Front end facing site)
Musk (CMS login)
The error will not occur if a user is logged into tesla.com/admin to modify an entry on the Tesla site.
The error will occur if the user is logged into musk.com/admin and is trying to modify an entry on the Tesla site.
Note: Previously I was using each front end facing site to login (so tesla.com/admin and spacex.com/admin), but I modified my setup to include musk after @brandonkelly recommended only having one single url to access the control panel issue.
Additional info
- Craft version: Craft Pro 3.0.6
- PHP version: 7.0.19
- Database driver & version: MySQL 5.7.18
Edit:
I resolved the CORS issue in my nginx by setting the appropriate headers for Access Control. I've added them for anyone who stumbles across this issue in the future.
add_header "Access-Control-Allow-Origin" $http_origin always;
add_header "Access-Control-Allow-Credentials" "true" always;
I am still getting a 400 request though. I am guessing this is related to this previous issue. It appears that doing a live preview between the two sites is problematic due to a user not being authenticated. I don't see a resolution stated for the issue so I am still leaving it open (though I expect it to be closed in favor of 1160).
An update on proposed solution would be appreciated but I am going to tell my client to navigate to the site url to do updates for now.
Thank you.
magnessjo
All 8 comments
We鈥檒l look into whether it makes sense for Craft to automatically send the CORS headers when we get around to #1160 (soon).
brandonkelly
on 10 May 2018
This is the workaround we're using for cross root (or sub) domain live previews: https://gist.github.com/croxton/68bf8eaaba776230aed8ec7f5eeaba27
No need to worry about CORS with this approach as you will be able to live preview any of your sites from any of your domains, and you only need to be logged in to that one domain.
croxton
on 11 May 2018
@croxton,
Thank for the example! For now, our client is enduring a unnecessary burden but it is a fairly simple site. I am hoping this will get rolled into core in the near future (not sure if it's on the 3.x roadmap or not, but hopefully soon). I will absolutely use that example as a fall back should we start a multi site of any complexity.
Thanks again!
magnessjo
on 11 May 2018
This has been implemented for Craft 3.1 (1ab6b6e6e3cd5a13c949d113c8367e7faf930ee4). You may still need to set CORS headers for other things like font URLs, but Craft at least covers the CORS headers for the initial HTML response.
brandonkelly
on 22 Oct 2018
@brandonkelly Is there a workaround for this on 3.0.x sites?
I've tried writing a plugin/module that attaches the Access-Control-Allow-Origin header on yii\web\Response::EVENT_BEFORE_SEND - I can see the header being attached to every page but preview still fails.
mikefrancis
on 8 Nov 2018
@mikefrancis No, it required refactoring Live Preview to use token-based authentication, which is a semi-breaking change for plugins, so not something we can do for 3.0.x.
brandonkelly
on 8 Nov 2018
@brandonkelly Ah ok. Is there an ETA for Craft 3.1? We have had to add another stack for previewing content changes on for multi-sites which is a bit of a headache.
mikefrancis
on 12 Nov 2018
@mikefrancis In the coming weeks ;)
brandonkelly
on 12 Nov 2018
Related issues
brandonkelly
路
3Comments
angrybrad
路
3Comments
Mosnar
路
3Comments
timkelty
路
3Comments
mattstein
路
3Comments
Most helpful comment
@mikefrancis In the coming weeks ;)