#3568 closed Bug (fixed)

Since 1.9.2 optOut does not work any more for Chrome in multi-port configuration for one domain

Reported by: culinacard Owned by:
Priority: critical Milestone: 1.11 - Piwik 1.11
Component: Core Keywords: optOut, Chrome, multi-port, domain
Cc: Sensitive: no

Description

In piwik 1.9, I have registered one domain for piwik. For security reasons, I configured piwik to a special port, 8443 (SSL) (the other ports have content-security-policy activated, which piwik does not support yet). On port 80 (http) and 443 (https) piwik is included in the user pages to track the users. Note that all files for all ports use the same htdocs directory, so the piwik installation is NOT copied for each port, but reused.

We moreover have a piwik opt-out included on our privacy page, which is located on port 443 (https). You can have a look at it and see it working here, at the bottom of the page (piwik 1.9 is still installed there):

https://culinacard.com/controller?ac=110

So far, so good. Now, after update of our development system to piwik 1.9.2, the opt out logic does not work any more on Chrome. If I click on the opt-out-checkbox, the page is reloaded, but it does not change the status. It DOES STILL work on Firefox, however. So the problem must have to do with an interaction of the opt-out mechanism with chrome. You can test the problem here:

https://dev.culinacard.com/controller?ac=110
HTTP-User: culina
HTTP-Password: debugging

You can see there, that it works with Firefox, but not with Chrome. Strangely, if I call the optOut inline frame outside the frame and with the port 8443, it DOES work in Chrome:

https://dev.culinacard.com:8443/piwik/index.php?module=CoreAdminHome&action=optOut&language=de

However, we do not want to use the port 8443 on a normal user page. We definitely need port 443. Otherwise, some users might not be able to reach it, if their firewall does not allow other ports then 443 and 80.

I think this bug is critical, as in germany, we have very restrictive privacy laws. We need to provide at least this opt-out for ours users, never mind which browser they use. And Chrome is a very important browser, moreover.

So, a short analysis of this bug is the following:
"optOut does not work any more with Chrome, if piwik 1.9.2 was installed on another port than the optOut page is used on, and if only one domain is used. But it works with piwik 1.9 without any issues."

Change History (4)

comment:1 Changed 17 months ago by culinacard

I have now also tested this functionaltiy with IE9. It works like a charm... But still, not with Chrome.

All my tests were performed on two different computers, one with Windows Vista and the other on with Windows 7. Both have the browsers Chrome, IE9 and Firefox installed. On both machines, the privacy page works for IE9 and Firefox, but not for Chrome.

comment:2 Changed 15 months ago by capedfuzz (diosmosis)

@culinacard Hi, I managed to reproduce this bug and I think I know what you need to do to fix it. In one of the Piwik 1.9.X versions an extra security measure was added where host values were tested against a list of trusted hosts. In the update the host you use is assumed to be the only trusted host. In your case, this was probably 'culinacard.com:8443'. The iframe, however, tries to go to https://culinacard.com and host verification fails since only culinacard.com:8443 is trusted. To fix this, add:

trusted_hosts[] = "culinacard.com"

under [General] in your config/config.ini.php.

Let me know if this works!

comment:3 Changed 15 months ago by culinacard

Wow, works like a charm! I have now edited config.ini.php and global.ini.php to add the domain as trusted host. Thank you very much for your help! Now I can make an update of my Piwik installations...

comment:4 Changed 15 months ago by capedfuzz (diosmosis)

  • Resolution set to fixed
  • Status changed from new to closed

Glad it worked! Closing the ticket now.

Also, note that global.ini.php is meant to hold the "default" config values, so you don't have to change it, just config.ini.php. I don't think it'll break anything if you do, though.

Note: See TracTickets for help on using tickets.