Wp-calypso: Previews: Some Jetpack site modal previews may fail with 404s [2]

I wasn't able to reproduce this yet, but I dug a little bit into this and wanted to leave notes on where to step through if folks are able to reproduce.

1. In Calypso the preview iframe src is set to something like https://gwwar-at55.blog/2018/11/29/the-journey-begins/?iframe=true&theme_preview=true&frame-nonce=examplenonce&cachebust=1

Note the frame-nonce parameter.

https://github.com/Automattic/wp-calypso/blob/eb4662440234155e8c10eb1921477f8e8cb4c5b4/client/components/web-preview/content.jsx#L184

1. This is validated in https://github.com/Automattic/jetpack/blob/970c62b90addcd0894c1a59a45b658d10475ea30/class.frame-nonce-preview.php#L49

See original issue in https://github.com/Automattic/jetpack/pull/4692. (Note that the block-editor does this in a slightly different way in https://github.com/Automattic/jetpack/pull/11354/files#diff-5bc82dd7b78333ce5067bd34d92debc8R46 ). See also D2472-code for the xml rpc request handling.

1. In theory, the class.frame-nonce-preview.php should also make drafts visible to whitelisted sources. I'm not sure why it's 404'ing in the above case yet as those posts are published.

I've also experimented with changing the post permalink format, but haven't had luck with that breaking previews.

If folks alternatively see the sad browser instead of a 404 page. This likely means that the X-Frame-Options is being set to "SAMEORIGN", which I don't think we'd expect for a WordPress non-admin page view.

Since posts were published and public in the report, I don't think the issue is related to the frame nonces. As long as posts are public and published, we only need the id or the title to preview them (we can even use a wrong nonce).

I'd say it might be caused by Calypso malforming the preview URLs somehow, but I didn't find any clue yet on where the issue is coming from.

Another thing I noted on the original video report is that the browser is trying to load a https://<site>/blog/<post> URL but the actual post URL doesn't include the /blog suffix. Not sure if that's related.

Another thing I noted on the original video report is that the browser is trying to load a https:///blog/ URL but the actual post URL doesn't include the /blog suffix. Not sure if that's related.

Ah, so maybe subdirectory or permalink related.

Seems to be caused by the redirection from /blog to / not handling properly the iframe and theme_preview query params added by the Calypso preview:

• ✅https://<site>/blog/<year>/<month>/<post-slug> redirects to https://<site>/<year>/<month>/<post-slug>.
• ❌https://<site>/blog/<year>/<month>/<post-slug>?iframe=true&theme_previews=true returns a 404.

Found it! Jetpack_Iframe_Embed prevents canonical redirects when the content is being embed in a iframe (indicated with the iframe and theme_preview query params set to true).

@marekhrabe seems that you worked on the Jetpack_Iframe_Embed lib. Do you happen to remember what's the reasoning behind preventing the canonical redirects? I think allowing them will avoid the issue reported on p58i-89x-p2, but I wonder if there is any security concern.

Anyway, I still don't know how to properly reproduce the issue. I don't think it is a problem with permalinks, since the home page displays the posts with the proper links (without /blog), so I have not idea where Calypso gets the /blog prefix from. Or maybe is something related to subdirectory installs as @kwight mentioned, but I'm totally unfamiliar with that.

so I have not idea where Calypso gets the /blog prefix from

That's a great lead @mmtr. Maybe around setting a specified blog page from the customizer?

so I have not idea where Calypso gets the /blog prefix from

That's a great lead @mmtr. Maybe around setting a specified blog page from the customizer?

It's coming from the site URL setting. The site URL includes the /blog prefix but the home URL is the root address without the prefix. But Calypso gives priority to the URL when building the preview URL:

https://github.com/Automattic/wp-calypso/blob/89559015de3c2010ae71d30a3f26bf823248f73b/client/state/posts/selectors.js#L562

Note how when the domain is mapped, the home URL (set in site.URL) is replaced with the site URL (set in site.options.unmapped_url).

I still cannot reproduce the issue because when I set a site URL different from the home URL, my Jetpack site refuses from loading, so I guess I'd still need to set up a redirection somewhere.

Anyway, I think p58i-89x-p2 is just a misconfiguration on the site, and the site URL should point to the root address. I don't think we should allow the canonical redirects in Jetpack_Iframe_Embed, because it doesn't make see we want to preview a post using a URL that is not the actual post URL when Calypso has the resources for previewing a post using the right URL.

I think p58i-89x-p2 is just a misconfiguration on the site, and the site URL should point to the root address

Turned out to be correctly configured. I was just confused about the terminology.

I just opened https://github.com/Automattic/jetpack/pull/13818 and D34373-code which hopefully will fix this.