Details
-
New Feature
-
Resolution: Unresolved
-
Neutral
-
None
-
None
-
None
-
-
Empty show more show less
Description
MAGNOLIA-3915 introduced a new ACL parameter <site> that can be added at the beginning of a path or URL. The parameter applies the ACL rule when the current site definition matches its value.
The purpose is to prevent a multisite scenario where content from one site can be accessed through all its sibling sites. Such a scenario hurts SEO efforts since crawlers interpret the sibling content as duplicate: it is the same content but visible through different URLs.
For example, the demo-project site definition (screenshot) says that when the site is accessed via domain www.demo-project.com, content should be served from /demo-project, as defined in the handlePrefix property. However, it is also possible to access sibling site /demo-features content at the same domain using a URL such as www.demo-project.com/demo-features.html. The domain says content should be served from /demo-project but in fact it can come from /demo-features. This is the issue.
To test locally:
- In your hosts file, map www.demo-project.com to 127.0.0.1.
127.0.0.1 www.demo-features.com
- Flush the DNS cache.
- Request content at http://www.demo-project.com:8080/magnoliaPublic/demo-features.html. You can see content from the sibling site /demo-features, which is not good.
To deny cross-site content access using the new <site> parameter:
- Log into AdminCentral on the public instance and edit the anonymous role.
- Add an ACL in the URL space. Deny access to <demo-project>/demo-features*. Angle brackets should be included. The first part in the brackets means "apply this ACL when the site definition demo-project is applied". The second part means "deny access to content at /demo-features and below".
- Save the role.
- Log out.
- Request content at http://www.demo-project.com:8080/magnoliaPublic/demo-features.html. You should be denied access and presented a login screen instead.
- Request content at http://www.demo-features.com:8080/magnoliaPublic/demo-features.html. Now content should be served since you are requesting it via a domain that is mapped to a different site definition demo-features.
Document the new parameter, its usage, purpose and the scenario in /administration/security/accesscontrollists.