Log in or register to post comments
Last post
leandrorlemos's picture
Joined: 05/04/2010
Posts: 4
CKFinder in a different host from the CKEditor
Firt of all, sorry for my english...

I'm trying to setup the CKFinder to run at a different host from my CKEditor and i dont see why this dosent work. I need to do this cause a have a domain to handle my image files and another domain where my CMS system is placed. In the CMS domain is running my CKEditor with the following config (Assume that IMAGE_URL is my images domain):
            CKEDITOR.replace( 'campotexto',
            {
               filebrowserBrowseUrl : '".IMAGE_URL."/ckfinder/ckfinder.html',
               filebrowserImageBrowseUrl : '".IMAGE_URL."/ckfinder/ckfinder.html?Type=Images',
               filebrowserUploadUrl : '".IMAGE_URL."/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Files',
               filebrowserImageUploadUrl : '".IMAGE_URL."/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Images'
            });


The above configuration if pointing to the same domain where the CKEditor is, runs perfectly. But to another domain it is loading the initial screen just with the title 'Folders', without load any folders or files. The config of the CKFinder is the same in both hosts.

Using the CKEditor and the CKFinder in the same host is not a option for me cause my CMS system is generic and attends multiple web sites, each one with your own images folder. If someone passed throw this, please give me some help.
sonnysavage's picture
Joined: 02/04/2010
Posts: 10
Re: CKFinder in a different host from the CKEditor
What errors are you getting? Are they XSS errors?
leandrorlemos's picture
Joined: 05/04/2010
Posts: 4
Re: CKFinder in a different host from the CKEditor
sonnysavage wrote:What errors are you getting? Are they XSS errors?


The CkFinder is not giving me any feedback. I watched the transactions throw the firebug and what happens is that when it runs in the same host, 3 ajax requests are send, but when in a different host than the CKEditor it makes just one ajax call, with the same response, but the other two is not been called. The ajax request is to: http://hostname/ckfinder/core/connector ... angCode=en

No error from the PHP, no error from the Firebug, just make the first call and stop. Today I realized that this scenario with problem is running well on the chrome or safari browsers, but appears a new problem. When I select an image the path of the selected file is not returning to the CKeditor, the field URL is empty.

I think that all those problems is part of the same problem, because all happens when the hosts are different. Why this should be a XSS error? All CKFinder scripts is running in the same host, the ajax calls are sending the correct referer.
sonnysavage's picture
Joined: 02/04/2010
Posts: 10
Re: CKFinder in a different host from the CKEditor
I'm sorry, but I don't have an answer for you. I am a new user of CKEditor myself. Your response definitely clarifies the question.
alfonsoml's picture
Joined: 31/12/2006
Posts: 3753
Re: CKFinder in a different host from the CKEditor
Basically a XSS is when a page hosted in one domain tries to execute code from another domain, so your description fits exactly that situation.
leandrorlemos's picture
Joined: 05/04/2010
Posts: 4
Re: CKFinder in a different host from the CKEditor
alfonsoml wrote:Basically a XSS is when a page hosted in one domain tries to execute code from another domain, so your description fits exactly that situation.


CKFinder is hosted in one place, the caller of the CKFinder is in another host. Who calls domain/ckfinder/ckfinder.html is in another host. The XSS problem should occur if the ckfinder.html was in a different place than the php files. So the ajax calls would crossing over two domains, that is not what is happening.
alfonsoml's picture
Joined: 31/12/2006
Posts: 3753
Re: CKFinder in a different host from the CKEditor
CKFinder is hosted in one place, the caller of the CKFinder is in another host.


And that's called Cross-site scripting.

Test this:
save this file as launch.html in the CKEditor host
<!DOCTYPE html>
<html>
<head>
   <title>parent</title>
   <script type="text/javascript">
function hello()
{
   alert( 'This is the parent window' );
}

var child;
function launch()
{
   var url = document.getElementById( 'url' ).value;
   child = window.open(url);
   document.getElementById( 'init' ).style.display = 'none';
   document.getElementById( 'tests' ).style.display = '';
}

function childHello()
{
   child.hello();
}
   </script>
</head>
<body>
   <div id="init">
      <input type="text" id="url" value="child.html"><input type="button" onclick="launch()" value="Launch child">
   </div>
   <div id="tests" style="display:none">
      <input type="button" onclick="hello()" value="test this window"><br>
      <input type="button" onclick="childHello()" value="test the child window">
   </div>
</body>
</html>


And this code as child.html
<!DOCTYPE html>
<html>
<head>
   <title>child</title>
   <script type="text/javascript">
function hello()
{
   alert( 'This is the child window' );
}

function parentHello()
{
   window.opener.hello();
}
   </script>
</head>
<body>
   <input type="button" onclick="hello()" value="test this window"><br>
   <input type="button" onclick="parentHello()" value="test the Parent window">
</body>
</html>


You can test that if both files are in the same server it works correctly, but if you move the child to another domain and try to launch that from the parent you can't call the functions of the other window.
leandrorlemos's picture
Joined: 05/04/2010
Posts: 4
Re: CKFinder in a different host from the CKEditor
alfonsoml wrote:
CKFinder is hosted in one place, the caller of the CKFinder is in another host.


And that's called Cross-site scripting.

Test this:
save this file as launch.html in the CKEditor host
<!DOCTYPE html>
<html>
<head>
   <title>parent</title>
   <script type="text/javascript">
function hello()
{
   alert( 'This is the parent window' );
}

var child;
function launch()
{
   var url = document.getElementById( 'url' ).value;
   child = window.open(url);
   document.getElementById( 'init' ).style.display = 'none';
   document.getElementById( 'tests' ).style.display = '';
}

function childHello()
{
   child.hello();
}
   </script>
</head>
<body>
   <div id="init">
      <input type="text" id="url" value="child.html"><input type="button" onclick="launch()" value="Launch child">
   </div>
   <div id="tests" style="display:none">
      <input type="button" onclick="hello()" value="test this window"><br>
      <input type="button" onclick="childHello()" value="test the child window">
   </div>
</body>
</html>


And this code as child.html
<!DOCTYPE html>
<html>
<head>
   <title>child</title>
   <script type="text/javascript">
function hello()
{
   alert( 'This is the child window' );
}

function parentHello()
{
   window.opener.hello();
}
   </script>
</head>
<body>
   <input type="button" onclick="hello()" value="test this window"><br>
   <input type="button" onclick="parentHello()" value="test the Parent window">
</body>
</html>


You can test that if both files are in the same server it works correctly, but if you move the child to another domain and try to launch that from the parent you can't call the functions of the other window.


Now I see, thanks by the example.