Copy link to clipboard
Copied
I use the code
<cfajaximport tags="cfform, cfmessagebox, cfwindow"> | |
<cfwindow bodystyle="background:white;font:12px/normal arial, Helvetica, sans-serif;" initShow="true" width="350" height="255" name="signin" center="true" resizable="false" draggable="false" source="login.htm"/> |
and it is working fine. The sign in window appears. However, I want to change it to a secured URL by entering the full URL
<cfajaximport tags="cfform, cfmessagebox, cfwindow"> | |
<cfwindow bodystyle="background:white;font:12px/normal arial, Helvetica, sans-serif;" initShow="true" width="350" height="255" name="signin" enter="true" resizable="false" draggable="false" source="https://mydomain/login.htm"/> |
The pop up cfwindows shows blank. Why is that? Any help is appreciated.
Because that is considered a cross-domain request (although it seems to be only cross-protocol, in reality an http address can resolve to a different virtual host from an https address). Take a look a this StackOverflow thread for some suggested workarounds.
Also, this is probably easier to deal with using **anything** other than CFWindow, as Scott suggests.
Copy link to clipboard
Copied
Is the main page the CFWindows is part of also on HTTPS?
Copy link to clipboard
Copied
The page that calls the secured login page is not on https.
Copy link to clipboard
Copied
Why don't you rename the page to .cfm? Coldfusion does not process HTML pages.
Copy link to clipboard
Copied
I made CF process .htm as well. I read somewhere that it's best to hide from public what technology you are using.
Copy link to clipboard
Copied
jackhuang wrote:
I made CF process .htm as well.
No, you cannot. Again, Jackhuang, you see a blank page because Coldfusion does not process the CFML code on the HTML page. I am assuming here that you are using the default Coldfusion extensions CFM, CFML, CFC, etc.
Then the web server does not send HTML files to Coldfusion for processing. It simply sends them as text to the browser. You are seeing nothing because browsers don't display tags. However, you will see the text if you open the URL in a browser and view the source.
Oh, and I agree with Scott and Carl that you should avoid Coldfusion UI tags like cfwindow. You could use simple ol' Javascript.
Copy link to clipboard
Copied
Because CFWindow.
Copy link to clipboard
Copied
What happens when you go to the URL directly in a browser window rather than from CFWINDOW?
Copy link to clipboard
Copied
It works normally with https prefix. It's just a simple sign in form.
Copy link to clipboard
Copied
Because that is considered a cross-domain request (although it seems to be only cross-protocol, in reality an http address can resolve to a different virtual host from an https address). Take a look a this StackOverflow thread for some suggested workarounds.
Also, this is probably easier to deal with using **anything** other than CFWindow, as Scott suggests.
Copy link to clipboard
Copied
I am not sure a blank page is because of the cross-domain issue? If you can suggest a good simple solution that can pop up a window automatically, similar to the cfwindow i.e. not movable or scalable and source can't be viewed that will be great.
Copy link to clipboard
Copied
An update after a reread.
jackhuang wrote:
I made CF process .htm as well. I read somewhere that it's best to hide from public what technology you are using.
Do I understand correctly that you added .htm to the extension mappings list in the web server configuration?
Copy link to clipboard
Copied
The .htm extension was added on the server so all .htm will be processed by CF
Copy link to clipboard
Copied
Do you see any errors or messages in the browser console when the window tries to load?
Copy link to clipboard
Copied
I see in the console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://mydomain.com/login.htm?_cf_containerId=signmein_body&_cf_nodebug=true&_cf_nocache=true&_cf_r.... This can be fixed by moving the resource to the same domain or enabling CORS.
So I either have to add the access control as suggested by Carl or use another way of automatically popping up a secured sign in window. Any suggestion is welcome.
Copy link to clipboard
Copied
Did you look at the link Carl posted?
If not, why not?
If so, why do you need other suggestions?
Copy link to clipboard
Copied
I did. The cfwindow is easy to use, but when it pops up, it actually messed up the css layout of the call page for some reason. It's not that obvious (it took the top margin off) but if there is other way to do this I would try it.
Copy link to clipboard
Copied
Carl, the header:
Header set Access-Control-Allow-Origin https://www.mydomain.com
has been added to the .htaccess but it is still not working. This cfwindow is driving me crazy .
Copy link to clipboard
Copied
jackhuang wrote:
Carl, the header:
Header set Access-Control-Allow-Origin https://www.mydomain.com
has been added to the .htaccess but it is still not working.
What about just adding
<cfheader name="Access-Control-Allow-Origin" value="https://www.mydomain.com">
or
<cfscript>
response = getPageContext().getResponse();
response.setHeader("Access-Control-Allow-Origin","https://www.mydomain.com");
</cfscript>
to the top of the page?
Copy link to clipboard
Copied
Thanks BKBK. I have tried both plus .htacess changes to no avail. I am still getting the same error message in the Firefox console:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.mydomain.com/login.htm?_cf_containerId=signmein_body&_cf_nodebug=true&_cf_nocache=true&_.... This can be fixed by moving the resource to the same domain or enabling CORS.
I am ready to give up on cfwindow. Either Firefox is not telling the truth or cfwindow is doing something non-standard. But I need something to replace it that I will be able to pop up without clicking on a button. I use cfwindow for signing in when I detect that the user is trying to enter a form without signing in.
Copy link to clipboard
Copied
I would experiment some more. On which page do you add the header? You could experiment by placing it in the Application file. You could also replace the domain https://www.mydomain.com with the wildcard *.
Copy link to clipboard
Copied
I have placed it on both the http calling page and the called https page. I tried with the * as well. None is working. I don't use an Application file. It can't be possible that I am the only one having this issue.
Copy link to clipboard
Copied
jackhuang wrote:
I don't use an Application file.
Inadvisable in Coldfusion. You really should.
Anyway, there is another test you could do. It involves you adding an extra page, whose function is to set the CORS response header.
testpage1.cfm
<cfscript>
pc = getPageContext();
response = pc.getResponse();
response.setHeader("Access-Control-Allow-Origin","*");
pc.include("testpage2.cfm");
</cfscript>
testpage2.cfm
<cfajaximport tags="cfform, cfmessagebox, cfwindow">
<cfwindow bodystyle="background:white;font:12px/normal arial, Helvetica, sans-serif;" initShow="true" width="350" height="255" name="signin" resizable="false" center="true" closable="true" draggable="false" source="https://mydomain/login.htm"/> <!--- Attribute 'enter' deleted, as it is invalid, and replaced with 'center'. Attribute 'closable' added --->
Copy link to clipboard
Copied
Thank you for all your help. I tried the test pages and they have exactly the same problem. The cfwindow still showed blank page.
What is the purpose of Application.cfm? The site seems to be running fine without it. You recommended
<cfapplication name="cfwintest"
sessionmanagement="Yes"
sessiontimeout="#createTimeSpan(0,0,20,0)#"
applicationtimeout="#createTimeSpan(1,0,0,0)#">
Is this something that I shall add to root directory? Does it mean that if the user is login and if there is no activity, it will timeout in 20 minutes (all cookie deleted)?
Copy link to clipboard
Copied
Unsubscribe
Sent from my not so pocket sized computer
Scott Stroz