WordPress-iOS icon indicating copy to clipboard operation
WordPress-iOS copied to clipboard
verified publisher icon wordpress-mobile

Unable to view images in web view for private site

Open reginabally opened this issue 4 years ago • 34 comments

It was reported in 3624089-zen that the user wasn't able to view the images on the app's web view when the site is set to Private. They were able to view the images when they changed the site's privacy setting to Public.

Expected behavior

I would expect to be able to view the images on the site through the web view on the app even though my site is set to Private.

Actual behavior

I wasn't able to see the images on the site when it is set to Private.

Steps to reproduce the behavior

  1. Change a site (WordPress.com Simple site) privacy setting to Private at My Site > Settings > Privacy
  2. Go to My Site > View Site
  3. See the images on the site do not load
  4. Switch the site's privacy to Public
  5. Go to My Site > View Site
  6. Notice the images on the site loading fine

Note: Reported and tested on WordPress.com Simple sites with custom domains.

Tested on iPhone SE, iOS 14.3, WPiOS 16.3. Reported in the ticket on iPhone 12 Pro Max, iOS 14.2, WPiOS 16.3

reginabally avatar Jan 07 '21 02:01 reginabally

I am not able to replicate this one in the latest beta or released build. Would you be able to make a video?

startuptester avatar Jan 08 '21 22:01 startuptester

Thanks for taking a look, @startuptester! Sorry, I didn't record a video when I was testing on my test site. However, when I tried to replicate this issue again, I wasn't able to reproduce anymore even when the site was switched to private.

There was another case reported in 3632385-zen with the user mentioned that they noticed the issue happens after they purchased a paid plan and registered a custom domain on a private site.

I will test this out, see if I can reproduce it again with a new test site, and report back.

reginabally avatar Jan 09 '21 01:01 reginabally

I was able to reproduce this and followed these steps:

  1. Select a Private Site (WordPress.com) with a custom domain.
  2. Click on My Site > View.
  3. Notice the Images don't load.
  4. Set the site to Hidden instead of private and then go back to My Site > View.
  5. The images now load.
  6. Set your site back to private and go back to My Site > View.
  7. The images are still loading.
  8. Create a new post from the browser or the app (same behaviour either way) with an image while the site is still in private mode and publish it.
  9. View Post, images don't display.
  10. Switch site privacy settings to Hidden.
  11. View new posts by going to My Site > View or Blog Post > View, the images display.
  12. Switch site private settings back to Private.
  13. View Posts again and the images are still showing.

Replicated on iPhone X, iOS 14.2, WP iOS 16.3.0.7.

I tried to take a screen recording to show some of the difference. You can find it here: https://s.pvl.app/ApuGWRZy

This is most likely related to the work done in https://github.com/wordpress-mobile/WordPress-iOS/pull/15309

rezzap avatar Jan 09 '21 13:01 rezzap

Nicely done! Thank you! @aerych, are you able to take a look and see if it is related to #15309?

startuptester avatar Jan 11 '21 18:01 startuptester

are you able to take a look and see if it is related to #15309?

This doesn't appear to be related. In fact, I can reproduce this same behavior in mobile safari and desktop safari. Will follow up with a dotcom team to see what's up. Pinged in p1610402471373700-slack-dotcom

Some related resources for posterity: https://wordpress.com/support/remote-login-permission/ p58i-9P5-p2 p9xfpQ-14l-p2

tl;dr: The current impression is this is another case were Apple's third party cookie security policies are creating unexpected hurtles.

aerych avatar Jan 11 '21 21:01 aerych

Another report in 3700597-zen.

I was not able to reproduce this on my end but now I'm wondering if disabling, although not recommended, the "Prevent Cross-Site Tracking" in Safari would work: https://www.macrumors.com/how-to/safari-ios-11-tracking-prevention/

eduardozulian avatar Feb 01 '21 13:02 eduardozulian

Another report of this in 3743685-zen

Disabling cross-site tracking in Safari did not help. The only thing that helps is changing the site privacy temporarily.

rezzap avatar Feb 17 '21 11:02 rezzap

Similar issue on 3813388-zen. Changing site privacy seems to help.

kelasante avatar Mar 12 '21 05:03 kelasante

Another here: 3853840-zen

mdrockwell avatar Mar 25 '21 18:03 mdrockwell

4016318-zen

metabreakr avatar May 26 '21 14:05 metabreakr

Another here: 4023780-zen

mdrockwell avatar May 28 '21 18:05 mdrockwell

Noting that this issue affects not just the My Site → View Site web view, but also other web views such as Blog Posts → View (see https://github.com/wordpress-mobile/WordPress-iOS/issues/16607#issuecomment-853036905).

guarani avatar Jun 02 '21 13:06 guarani

24451083-hc

metabreakr avatar Jun 08 '21 15:06 metabreakr

Also in 4047173-zen when using a custom travel.blog address.

eduardozulian avatar Jun 09 '21 16:06 eduardozulian

Noting the conversation in p5T066-2lo-p2#comment-8707, where an audio file couldn't be viewed on a private site with a custom domain. The file could only be viewed after making the site public temporary and then making it private again. Tested WP app version 17.5.0.1, iPhone X, iOS 14.4.2.

I wasn't able to replicate on the same WP app (version 17.5.0.1), iPhone X, iOS 14.6, but noting here as it's the same issue of a file uploaded to a site's Media Library (an audio file, rather than an image in this case) not being visible.

Highlighting that there is an equivalent issue for Safari, too: https://github.com/Automattic/wp-calypso/issues/53102

SiobhyB avatar Jun 11 '21 10:06 SiobhyB

Another report in 4114827-zd-woothemes

reginabally avatar Jul 05 '21 02:07 reginabally

Another report in 4305899-zd-woothemes

reginabally avatar Sep 18 '21 00:09 reginabally

Another report in 4399933-zd-woothemes.

reginabally avatar Oct 25 '21 03:10 reginabally

zen-4359348 two sites were affected. On one of the sites the issue got fixed by settings site´s privacy settings to public and then back to private. On the other site the issue remains even after performing the same steps. The site on which issue still persist is using mapped domain name.

as-esu avatar Oct 28 '21 06:10 as-esu

32895940-hc

metabreakr avatar Nov 24 '21 16:11 metabreakr

Another reported issue in 4647745-zd-woothemes

edwinho89 avatar Jan 04 '22 09:01 edwinho89

User first reached out on 33565646-hc

Then submitted a report: 4673033-zen

Gave them two workarounds to try:

  1. Setting their site to Public, then back to Private
  2. Setting their default WP.com site address to primary domain

erricgunawan avatar Jan 10 '22 04:01 erricgunawan

4754671-zen:

For some reason today, I cannot view any pictures that I have added or amended in the viewing pages. Everything is fine in the editing page. I have looked at settings and pictures that are visible are the same settings as ones that do it appear. Is there a solution?

It’s currently on private setting

erricgunawan avatar Feb 11 '22 05:02 erricgunawan

4754671-zen:

For some reason today, I cannot view any pictures that I have added or amended in the viewing pages. Everything is fine in the editing page. I have looked at settings and pictures that are visible are the same settings as ones that do it appear. Is there a solution?

It’s currently on private setting

cc: @tiagomar

startuptester avatar Feb 11 '22 19:02 startuptester

Regarding the workaround of changing the visibility between public and private, I did a quick check and realized that it works mainly because the requests and images are cached. In fact, that explains why new images added after setting the site private aren't loaded, similar to the case outlined in https://github.com/wordpress-mobile/WordPress-iOS/issues/15596#issuecomment-757175133.

fluiddot avatar Apr 29 '22 15:04 fluiddot

After performing a deeper exploration of the issue, here are some findings that I hope would be useful for addressing it in the future:

NOTE: I replaced the blog name with <BLOG> in order to anonymize the information.

  • I created a site with the domain <BLOG>.travel.blog.
  • Edited the Home page and added an Image block with a new image.
  • When previewing the site, I used Safari to inspect the WebView that loads the site.
  • [In Safari web inspector] Navigated to the Network tab and checked the network requests to both the site and image:
    • The request to the site https://<BLOG>.travel.blog/ included the authentication cookie and it was successful.
    • The request to the image https://<BLOG>travel.files.wordpress.com/2022/04/img_001.jpg failed with status code 403. I'd like to note that there was no cookie associated with the request, which explains why the request failed.
  • [In Safari web inspector] Navigated to the Storage tab and checked the cookies:
    • There was a single cookie with the following values (sensible information has been replaced with ***) :
      • Name: wordpress_logged_in_***
      • Value: ***
      • Domain: <BLOG>.travel.blog
      • Path: /
      • Session: ✅
      • HttpOnly: ✅
      • Secure: ✅
  • As a double-check, I tried to make a manual request using the same cookie to the image URL and also failed with status code 403.

My impression after investigating the issue is that the authentication cookie is only valid for requests made to <BLOG>.travel.blog. In this case, since the image is provided from a different domain (i.e. <BLOG>travel.files.wordpress.com) the same cookie can't be used. Not sure if it would be possible to have an extra authentication cookie for the other domain, maybe this would help on addressing the issue 🤔 .

As a side note, I also tried making the same request using a cookie obtained by logging into WP.com using the Safari app in the device, and in this case, the request was successful.

fluiddot avatar Apr 29 '22 15:04 fluiddot

👋 Thanks all for the great research. I believe this is happening because cross-site tracking (as mentioned earlier) is blocked, meaning the cookies won't be sent even if you have them. Disabling the setting in Safari will only fix this problem inside Safari and not the app, unfortunately.

Private *.wordpress.com sites shouldn't be affected by this issue, only mapped domains.

Possible solution A

  • Use the URL that WordPress.com generates from the Posts or Pages list (Preview method A below)
Method A Method B

If a user has a domain such as my.travel.blog, method A will generate a preview for the page or post with a URL such as mytravelblog.wordpress.com?p=123&preview=true where 123 is the page or post ID. This method succeeds because all content is loaded from *.wordpress.com and nothing is deemed "cross-site". It will also not force the redirect to my.travel.blog.

Possible solution B

  • Add NSCrossWebsiteTrackingUsageDescription to Info.plist (for both WordPress and Jetpack) (source, see "Intelligent Tracking Prevention in WKWebView")
  • Have the user go to the app in iOS settings and toggle "Allow Cross-Website Tracking" (they won't be prompted in the app, nor will it be enabled by default)

Then cookies will be sent to *.files.wordpress.com to load the private media.

This client-side solution feels subpar because it's scary looking and requires manual intervention by the user.

twstokes avatar Jul 08 '22 21:07 twstokes

Another one here: 5574449-zen

mxhassani avatar Sep 24 '22 08:09 mxhassani

Referenced on previously linked issues, there are internal discussions (pMz3w-fNu-p2) and explorations (D86397-code) to remedy the high-level issue with back-end solutions, which may negate the need for client-side solutions in the WPiOS app.

dcalhoun avatar Oct 10 '22 17:10 dcalhoun

Another case: 28783920-hc

ha-un avatar Nov 18 '22 20:11 ha-un