CKEditor 4
Mon, 04/05/2010 - 22:56
#1
leandrorlemos
leandrorlemos's picture
Joined: 05/04/2010
Posts: 4

CKFinder in a different host from the CKEditor

Firt of all, sorry for my english...

I'm trying to setup the CKFinder to run at a different host from my CKEditor and i dont see why this dosent work. I need to do this cause a have a domain to handle my image files and another domain where my CMS system is placed. In the CMS domain is running my CKEditor with the following config (Assume that IMAGE_URL is my images domain):
            CKEDITOR.replace( 'campotexto',
            {
               filebrowserBrowseUrl : '".IMAGE_URL."/ckfinder/ckfinder.html',
               filebrowserImageBrowseUrl : '".IMAGE_URL."/ckfinder/ckfinder.html?Type=Images',
               filebrowserUploadUrl : '".IMAGE_URL."/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Files',
               filebrowserImageUploadUrl : '".IMAGE_URL."/ckfinder/core/connector/php/connector.php?command=QuickUpload&type=Images'
            });


The above configuration if pointing to the same domain where the CKEditor is, runs perfectly. But to another domain it is loading the initial screen just with the title 'Folders', without load any folders or files. The config of the CKFinder is the same in both hosts.

Using the CKEditor and the CKFinder in the same host is not a option for me cause my CMS system is generic and attends multiple web sites, each one with your own images folder. If someone passed throw this, please give me some help.
Top
Tue, 04/06/2010 - 16:43
sonnysavage
sonnysavage's picture
Joined: 02/04/2010
Posts: 10

Re: CKFinder in a different host from the CKEditor

What errors are you getting? Are they XSS errors?
Top
Tue, 04/06/2010 - 17:04
leandrorlemos
leandrorlemos's picture
Joined: 05/04/2010
Posts: 4

Re: CKFinder in a different host from the CKEditor

sonnysavage wrote:What errors are you getting? Are they XSS errors?


The CkFinder is not giving me any feedback. I watched the transactions throw the firebug and what happens is that when it runs in the same host, 3 ajax requests are send, but when in a different host than the CKEditor it makes just one ajax call, with the same response, but the other two is not been called. The ajax request is to: http://hostname/ckfinder/core/connector ... angCode=en

No error from the PHP, no error from the Firebug, just make the first call and stop. Today I realized that this scenario with problem is running well on the chrome or safari browsers, but appears a new problem. When I select an image the path of the selected file is not returning to the CKeditor, the field URL is empty.

I think that all those problems is part of the same problem, because all happens when the hosts are different. Why this should be a XSS error? All CKFinder scripts is running in the same host, the ajax calls are sending the correct referer.

Top
Tue, 04/06/2010 - 23:06
sonnysavage
sonnysavage's picture
Joined: 02/04/2010
Posts: 10

Re: CKFinder in a different host from the CKEditor

I'm sorry, but I don't have an answer for you. I am a new user of CKEditor myself. Your response definitely clarifies the question.
Top
Wed, 04/07/2010 - 23:41
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3735

Re: CKFinder in a different host from the CKEditor

Basically a XSS is when a page hosted in one domain tries to execute code from another domain, so your description fits exactly that situation.
Top
Thu, 04/08/2010 - 14:44
leandrorlemos
leandrorlemos's picture
Joined: 05/04/2010
Posts: 4

Re: CKFinder in a different host from the CKEditor

alfonsoml wrote:Basically a XSS is when a page hosted in one domain tries to execute code from another domain, so your description fits exactly that situation.


CKFinder is hosted in one place, the caller of the CKFinder is in another host. Who calls domain/ckfinder/ckfinder.html is in another host. The XSS problem should occur if the ckfinder.html was in a different place than the php files. So the ajax calls would crossing over two domains, that is not what is happening.
Top
Thu, 04/08/2010 - 15:58
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3735

Re: CKFinder in a different host from the CKEditor

CKFinder is hosted in one place, the caller of the CKFinder is in another host.


And that's called Cross-site scripting.

Test this:
save this file as launch.html in the CKEditor host
<!DOCTYPE html>
<html>
<head>
   <title>parent</title>
   <script type="text/javascript">
function hello()
{
   alert( 'This is the parent window' );
}

var child;
function launch()
{
   var url = document.getElementById( 'url' ).value;
   child = window.open(url);
   document.getElementById( 'init' ).style.display = 'none';
   document.getElementById( 'tests' ).style.display = '';
}

function childHello()
{
   child.hello();
}
   </script>
</head>
<body>
   <div id="init">
      <input type="text" id="url" value="child.html"><input type="button" onclick="launch()" value="Launch child">
   </div>
   <div id="tests" style="display:none">
      <input type="button" onclick="hello()" value="test this window"><br>
      <input type="button" onclick="childHello()" value="test the child window">
   </div>
</body>
</html>


And this code as child.html 
<!DOCTYPE html>
<html>
<head>
   <title>child</title>
   <script type="text/javascript">
function hello()
{
   alert( 'This is the child window' );
}

function parentHello()
{
   window.opener.hello();
}
   </script>
</head>
<body>
   <input type="button" onclick="hello()" value="test this window"><br>
   <input type="button" onclick="parentHello()" value="test the Parent window">
</body>
</html>


You can test that if both files are in the same server it works correctly, but if you move the child to another domain and try to launch that from the parent you can't call the functions of the other window.
Top
Fri, 04/09/2010 - 16:13
leandrorlemos
leandrorlemos's picture
Joined: 05/04/2010
Posts: 4

Re: CKFinder in a different host from the CKEditor

alfonsoml wrote:
CKFinder is hosted in one place, the caller of the CKFinder is in another host.


And that's called Cross-site scripting.

Test this:
save this file as launch.html in the CKEditor host
<!DOCTYPE html>
<html>
<head>
   <title>parent</title>
   <script type="text/javascript">
function hello()
{
   alert( 'This is the parent window' );
}

var child;
function launch()
{
   var url = document.getElementById( 'url' ).value;
   child = window.open(url);
   document.getElementById( 'init' ).style.display = 'none';
   document.getElementById( 'tests' ).style.display = '';
}

function childHello()
{
   child.hello();
}
   </script>
</head>
<body>
   <div id="init">
      <input type="text" id="url" value="child.html"><input type="button" onclick="launch()" value="Launch child">
   </div>
   <div id="tests" style="display:none">
      <input type="button" onclick="hello()" value="test this window"><br>
      <input type="button" onclick="childHello()" value="test the child window">
   </div>
</body>
</html>


And this code as child.html 
<!DOCTYPE html>
<html>
<head>
   <title>child</title>
   <script type="text/javascript">
function hello()
{
   alert( 'This is the child window' );
}

function parentHello()
{
   window.opener.hello();
}
   </script>
</head>
<body>
   <input type="button" onclick="hello()" value="test this window"><br>
   <input type="button" onclick="parentHello()" value="test the Parent window">
</body>
</html>


You can test that if both files are in the same server it works correctly, but if you move the child to another domain and try to launch that from the parent you can't call the functions of the other window.


Now I see, thanks by the example.
Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check