Jump to content

Polymer/html-imports blocked by .htaccess?


Osorio
 Share

Recommended Posts

Hi  :) 

I am currently experimenting with Google Polymer / Web Components, which relies on html-imports.
I noticed that Processwire's .htaccess blocks access to .html files in the template folder.

  # Block access to any PHP or markup files in /site/templates/
  RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))$ [OR]

Is it safe to reallow access to .html-files in "/templates"? Or maybe just to a specific subfolder, like "templates/html-imports/*.html"?  ???

Link to comment
Share on other sites

In my honest opinion, I believe it's better to stick to the rules in place - they're all there for a reason. That said, you could add a condition to check for an applicable sub-folder. I don't particularly like making changes to the htaccess file as future ProcessWire upgrades can overwrite them. Sure, that's no biggie as your custom stuff can be added again from the backup file. However, it's just unnecessary work.

I haven't really looked at what gets blocked and what doesn't, but you might be better off creating a site/views folder, which is more applicable to the purpose.

Link to comment
Share on other sites

Hi Osorio,

I am also experimenting with polymer and pw. However, I deceided to modify the .htacess to allow html imports.

I don't know if there are any security drawbacks but I can't think of any.

In my opionion it's better to keep the templating files in the template folder where they belong by design.

Maybe ryan could clarify this because there were already 2 people in 2014 who asked the same question.

  • Like 1
Link to comment
Share on other sites

I haven't really looked at what gets blocked and what doesn't, but you might be better off creating a site/views folder, which is more applicable to the purpose.

Yes, I also tried putting bower_components (for pre-packaged elements) and an additional folder for custom elements into the site folder.

This worked out fine - however I can't quite shake the feeling that bower_components really belongs in site/templates. Also, apparently AIOM doesn't traverse out of site/templates by default, because of security reasons.

So, the reasoning behind the RewriteCond in question would be really helpful to know :)

Link to comment
Share on other sites

The entry is in the .htaccess because files in that folder and of those types aren't normally supposed to be visible to users. They are part of the rendering process, but that's going through the index.php and therefore direct access isn't necessary. By default you wouldn't want users to be able to open html snippets directly, because they should only see the whole website. Polymer is a whole other way of templating and therefore needs direct access to partials. 

Edit: Additionally .php/.inc/.tpl will most likely hold php code which is dependent on the processwire bootstrap process and would error on direct access. .html is the only one which can potentially be independently useful.

  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...

Nothing should break the pw bootstrap process, this topic is about the security issues of skipping it. 

The .htaccess line which prevents the polymer loading is blocking access to .php/.tpl/.inc and .html (see first post). The first three file extentions do have the potential to be dependent on processwire runtime variables, therefore accessing them should be handled by processwire. The last extention is in that rule, because before polymer nobody needed to access .html files directly from the client. They were only used by the .php files internally. So it was in the best interest to block access to them, too, so users cannot access those html chunks. Now with polymer that's not the case anymore, so just remove the .html from the rule to use them with polymer.

Allowing more subfolders is also possible by editing the .htaccess rules and as long as there are only static files (js/css/html/img/…) it should not matter from a security standpoint.

  • Like 1
Link to comment
Share on other sites

Hi  :) 

I am currently experimenting with Google Polymer / Web Components, which relies on html-imports.

I noticed that Processwire's .htaccess blocks access to .html files in the template folder.

  # Block access to any PHP or markup files in /site/templates/
  RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))$ [OR]

Is it safe to reallow access to .html-files in "/templates"? Or maybe just to a specific subfolder, like "templates/html-imports/*.html"?  ???

I also had issues loading Dojotoolkit templates via Ajax. Well it depends if you know what you are doing then sure, I removed mine, no way I can work because my fragment are in external files loading via XHR that's just how Dojo Dijit works.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...