From 45f54b41d817a805d07092f7e4e2a9ac4d145444 Mon Sep 17 00:00:00 2001
From: Andrew Ozz <azaozz@git.wordpress.org>
Date: Wed, 27 Mar 2013 08:43:11 +0000
Subject: [PATCH] Logged out warnings: add fallback text dialog for: - The
 login page has "X-Frame-Options: DENY" header. - Cross-domain when displaying
 on the front-end on multisite with domain mapping. - The site forces ssl
 login but not ssl admin.

Add onbeforeunload prompt to counter (frame-busting) JS redirects. Move the JS and CSS into separate files. See #23295.

git-svn-id: https://develop.svn.wordpress.org/trunk@23805 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-admin/css/wp-admin.css             |   6 +-
 wp-includes/css/wp-auth-check.css     |  76 +++++++++++++
 wp-includes/css/wp-auth-check.min.css |   0
 wp-includes/default-filters.php       |   2 +-
 wp-includes/functions.php             | 158 +++++++++-----------------
 wp-includes/js/wp-auth-check.js       |  87 ++++++++++++++
 wp-includes/js/wp-auth-check.min.js   |   0
 wp-includes/script-loader.php         |   6 +
 wp-login.php                          |  58 ++++++----
 9 files changed, 267 insertions(+), 126 deletions(-)
 create mode 100644 wp-includes/css/wp-auth-check.css
 create mode 100644 wp-includes/css/wp-auth-check.min.css
 create mode 100644 wp-includes/js/wp-auth-check.js
 create mode 100644 wp-includes/js/wp-auth-check.min.js

diff --git a/wp-admin/css/wp-admin.css b/wp-admin/css/wp-admin.css
index b831e61436..99d444def7 100644
--- a/wp-admin/css/wp-admin.css
+++ b/wp-admin/css/wp-admin.css
@@ -7291,9 +7291,13 @@ a.rsswidget {
 	width: auto;
 }
 
+body.interim-login {
+	height: auto;
+}
+
 .interim-login #login {
 	padding: 0;
-	width: 300px;
+	margin: 25px auto 20px;
 }
 
 .interim-login.login h1 a {
diff --git a/wp-includes/css/wp-auth-check.css b/wp-includes/css/wp-auth-check.css
new file mode 100644
index 0000000000..6a4c56f597
--- /dev/null
+++ b/wp-includes/css/wp-auth-check.css
@@ -0,0 +1,76 @@
+/*------------------------------------------------------------------------------
+ Interim login dialog
+------------------------------------------------------------------------------*/
+
+#wp-auth-check-wrap.hidden {
+	display: none;
+}
+
+#wp-auth-check-wrap #wp-auth-check-bg {
+	position: fixed;
+	top: 0;
+	bottom: 0;
+	left: 0;
+	right: 0;
+	background: #000;
+	opacity: 0.5;
+	filter: alpha(opacity=50);
+	z-index: 1000000;
+}
+
+#wp-auth-check-wrap #wp-auth-check {
+	position: fixed;
+	left: 50%;
+	overflow: hidden;
+	top: 40px;
+	bottom: 20px;
+	max-height: 435px;
+	width: 380px;
+	margin: 0 0 0 -190px;
+	padding: 0;
+	background-color: #fbfbfb;
+	-webkit-border-radius: 3px;
+	border-radius: 3px;
+	z-index: 1000001;
+}
+
+#wp-auth-check-wrap.fallback #wp-auth-check {
+	max-height: 180px;
+	overflow: auto;
+}
+
+#wp-auth-check-wrap #wp-auth-check-form {
+	background: url('../images/wpspin-2x.gif') no-repeat center center;
+	background-size: 16px 16px;
+	height: 100%;
+}
+
+#wp-auth-check-wrap #wp-auth-check-form iframe {
+	height: 100%;
+	width: 100%;
+	overflow: auto;
+}
+
+#wp-auth-check-wrap .wp-auth-check-close {
+	bottom: 10px;
+	display: none;
+	position: absolute;
+	right: 30px;
+}
+
+#wp-auth-check-wrap .wp-auth-fallback-expired {
+	outline: 0;
+}
+
+#wp-auth-check-wrap .wp-auth-fallback {
+	font-size: 14px;
+	line-height: 21px;
+	padding: 10px 25px;
+	display: none;
+}
+
+#wp-auth-check-wrap.fallback .wp-auth-fallback,
+#wp-auth-check-wrap.fallback .wp-auth-check-close {
+	display: block;
+}
+
diff --git a/wp-includes/css/wp-auth-check.min.css b/wp-includes/css/wp-auth-check.min.css
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php
index c24e68d7f2..1827dc94bd 100644
--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@@ -295,6 +295,6 @@ add_filter( 'default_option_embed_autourls', '__return_true' );
 add_filter( 'heartbeat_settings', 'wp_heartbeat_settings' );
 
 // Check if the user is logged out
-add_action( 'admin_init', 'wp_auth_check_load' );
+add_action( 'init', 'wp_auth_check_load' );
 
 unset($filter, $action);
diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index b55bca12f7..30a7f1715b 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -3887,43 +3887,69 @@ function wp_checkdate( $month, $day, $year, $source_date ) {
 }
 
 /**
- * Load the auth check, for monitoring whether the user is still logged in
+ * Load the auth check for monitoring whether the user is still logged in.
+ * Can be disabled with remove_action( 'init', 'wp_auth_check_load' );
  *
  * @since 3.6.0
  *
  * @return void
  */
 function wp_auth_check_load() {
-	wp_enqueue_script( 'heartbeat' );
-	add_filter( 'heartbeat_received', 'wp_auth_check', 10, 2 );
-	add_filter( 'heartbeat_nopriv_received', 'wp_auth_check', 10, 2 );
+	global $pagenow;
 
-	if ( is_admin() )
-		add_action( 'admin_print_footer_scripts', 'wp_auth_check_js' );
-	elseif ( is_user_logged_in() )
-		add_action( 'wp_print_footer_scripts', 'wp_auth_check_js' );
+	// Don't load for these types of requests
+	if ( defined('XMLRPC_REQUEST') || defined('IFRAME_REQUEST') || 'wp-login.php' == $pagenow )
+		return;
+
+	if ( is_admin() || is_user_logged_in() ) {
+		if ( defined('DOING_AJAX') ) {
+			add_filter( 'heartbeat_received', 'wp_auth_check', 10, 2 );
+			add_filter( 'heartbeat_nopriv_received', 'wp_auth_check', 10, 2 );
+		} else {
+			wp_enqueue_style( 'wp-auth-check' );
+			wp_enqueue_script( 'wp-auth-check' );
+
+			if ( is_admin() )
+				add_action( 'admin_print_footer_scripts', 'wp_auth_check_html', 5 );
+			else
+				add_action( 'wp_print_footer_scripts', 'wp_auth_check_html', 5 );
+		}
+	}
 }
 
 /**
- * Output the JS that shows the wp-login iframe when the user is no longer logged in
+ * Output the HTML that shows the wp-login dialog when the user is no longer logged in
  */
-function wp_auth_check_js() {
-	?>
-	<script type="text/javascript">
-	(function($){
-	$( document ).on( 'heartbeat-tick.wp-auth-check', function( e, data ) {
-		var wrap = $('#wp-auth-check-notice-wrap');
+function wp_auth_check_html() {
+	$login_url = wp_login_url();
+	$current_domain = ( is_ssl() ? 'https://' : 'http://' ) . $_SERVER['HTTP_HOST'];
+	$same_domain = ( strpos( $login_url, $current_domain ) === 0 );
+	
+	// Let plugins change this if they know better.
+	$same_domain = apply_filters( 'wp_auth_check_same_domain', $same_domain );
+	$wrap_class = $same_domain ? 'hidden' : 'hidden fallback';
 
-		if ( data['wp-auth-check-html'] && ! wrap.length ) {
-			$('body').append( data['wp-auth-check-html'] );
-		} else if ( !data['wp-auth-check-html'] && wrap.length && ! wrap.data('logged-in') ) {
-			wrap.remove();
-		}
-	}).on( 'heartbeat-send.wp-auth-check', function( e, data ) {
-		data['wp-auth-check'] = 1;
-	});
-	}(jQuery));
-	</script>
+	?>
+	<div id="wp-auth-check-wrap" class="<?php echo $wrap_class; ?>">
+	<div id="wp-auth-check-bg"></div>
+	<div id="wp-auth-check">
+	<?php
+
+	if ( $same_domain ) {
+		?>
+		<div id="wp-auth-check-form" data-src="<?php echo esc_url( add_query_arg( array( 'interim-login' => 1 ), $login_url ) ); ?>"></div>
+		<?php
+	}
+
+	?>
+	<div class="wp-auth-fallback">
+		<p><b class="wp-auth-fallback-expired" tabindex="0"><?php _e('Session expired'); ?></b></p>
+		<p><a href="<?php echo esc_url( $login_url ); ?>" target="_blank"><?php _e('Please log in again.'); ?></a>
+		<?php _e('The login page will open in a new window. After logging in you can close it and return to this page.'); ?></p>
+	</div>
+	<p class="wp-auth-check-close"><a href="#" class="button button-primary"><?php _e('Close'); ?></a></p>
+	</div>
+	</div>
 	<?php
 }
 
@@ -3940,85 +3966,7 @@ function wp_auth_check( $response, $data ) {
 	if ( is_user_logged_in() && empty( $GLOBALS['login_grace_period'] ) )
 		return $response;
 
-	return array_merge( $response, array(
-		'wp-auth-check-html' => '<div id="wp-auth-check-notice-wrap">
-<style type="text/css" scoped>
-#wp-auth-check {
-	position: fixed;
-	height: 90%;
-	left: 50%;
-	max-height: 415px;
-	overflow: auto;
-	top: 35px;
-	width: 300px;
-	margin: 0 0 0 -160px;
-	padding: 12px 20px;
-	border: 1px solid #ddd;
-	background-color: #fbfbfb;
-	-webkit-border-radius: 3px;
-	border-radius: 3px;
-	z-index: 1000000000;
-}
-#wp-auth-check-form {
-	background: url("' . admin_url('/images/wpspin_light-2x.gif') . '") no-repeat center center;
-	background-size: 16px 16px;
-}
-#wp-auth-check-form iframe {
-	height: 100%;
-	overflow: hidden;
-}
-#wp-auth-check a.wp-auth-check-close {
-	position: absolute;
-	right: 8px;
-	top: 8px;
-	width: 24px;
-	height: 24px;
-	background: url("' . includes_url('images/uploader-icons.png') . '") no-repeat scroll -95px center transparent;
-}
-#wp-auth-check h3 {
-	margin: 0 0 12px;
-	padding: 0;
-	font-size: 1.25em;
-}
-@media print,
-  (-o-min-device-pixel-ratio: 5/4),
-  (-webkit-min-device-pixel-ratio: 1.25),
-  (min-resolution: 120dpi) {
-	#wp-auth-check a.wp-auth-check-close {
-		background-image: url("' . includes_url('images/uploader-icons-2x.png') . '");
-		background-size: 134px 15px;
-	}
-}
-</style>
-<div id="wp-auth-check" tabindex="0">
-<h3>' .  __('Session expired') . '</h3>
-<a href="#" class="wp-auth-check-close"><span class="screen-reader-text">' . __('close') . '</span></a>
-<div id="wp-auth-check-form">
-	<iframe src="' . esc_url( add_query_arg( array( 'interim-login' => 1 ), wp_login_url() ) ) . '" frameborder="0"></iframe>
-</div>
-</div>
-<script type="text/javascript">
-(function($){
-var el, wrap = $("#wp-auth-check-notice-wrap");
-el = $("#wp-auth-check").focus().find("a.wp-auth-check-close").on("click", function(e){
-	el.fadeOut(200, function(){ wrap.remove(); });
-	e.preventDefault();
-});
-$("#wp-auth-check-form iframe").load(function(){
-	var height;
-	try { height = $(this.contentWindow.document).find("#login").height(); } catch(er){}
-	if ( height ) {
-		$("#wp-auth-check").css("max-height", height + 40 + "px");
-		$(this).css("height", height + 5 + "px");
-		if ( height < 200 ) {
-			wrap.data("logged-in", true);
-			setTimeout( function(){ wrap.fadeOut(200, function(){ wrap.remove(); }); }, 5000 );
-		}
-	}
-});
-}(jQuery));
-</script>
-</div>' ) );
+	return array_merge( $response, array( 'wp-auth-check' => '1' ) );
 }
 
 /**
@@ -4039,4 +3987,4 @@ function get_tag_regex( $tag ) {
 		return;
 
 	return sprintf( '(<%1$s[^>]*(?:/?>$|>[\s\S]*?</%1$s>))', tag_escape( $tag ) );
-}
\ No newline at end of file
+}
diff --git a/wp-includes/js/wp-auth-check.js b/wp-includes/js/wp-auth-check.js
new file mode 100644
index 0000000000..12144076b2
--- /dev/null
+++ b/wp-includes/js/wp-auth-check.js
@@ -0,0 +1,87 @@
+// Interim login dialog
+(function($){
+	var wrap;
+
+	function show() {
+		var parent = $('#wp-auth-check'), form = $('#wp-auth-check-form'), noframe = wrap.find('.wp-auth-fallback-expired'), frame, loaded = false;
+
+		if ( form.length ) {
+			// Add unload confirmation to counter (frame-busting) JS redirects
+			$(window).on( 'beforeunload.wp-auth-check', function(e) {
+				e.originalEvent.returnValue = window.authcheckL10n.beforeunload;
+			});
+
+			// Add 'sandbox' for browsers that support it, only restrict access to the top window.
+			frame = $('<iframe id="wp-auth-check-frame" sandbox="allow-same-origin allow-forms allow-scripts" frameborder="0">').attr( 'title', noframe.text() );
+			frame.load( function(e) {
+				var height, body;
+
+				loaded = true;
+
+				try {
+					body = $(this).contents().find('body');
+					height = body.height();
+				} catch(e) {
+					wrap.addClass('fallback');
+					form.remove();
+					noframe.focus();
+				}
+
+				if ( height ) {
+					if ( body && body.hasClass('interim-login-success') ) {
+						height += 35;
+						parent.find('.wp-auth-check-close').show();
+						wrap.data('logged-in', 1);
+						setTimeout( function() { hide(); }, 3000 );
+					}
+
+					parent.css( 'max-height', height + 60 + 'px' );
+				}
+			}).attr( 'src', form.data('src') );
+
+			$('#wp-auth-check-form').append( frame );
+		}
+
+		wrap.removeClass('hidden');
+
+		if ( frame ) {
+			frame.focus();
+			// WebKit doesn't throw an error if the iframe fails to load because of "X-Frame-Options: DENY" header.
+			// Wait for 5 sec. and switch to the fallback text.
+			setTimeout( function() {
+				if ( ! loaded ) {
+					wrap.addClass('fallback');
+					form.remove();
+					noframe.focus();
+				}
+			}, 5000 );
+		} else {
+			noframe.focus();
+		}
+	}
+
+	function hide() {
+		$(window).off( 'beforeunload.wp-auth-check' );
+
+		wrap.fadeOut( 200, function() {
+			wrap.addClass('hidden').css('display', '');
+			$('#wp-auth-check-frame').remove();
+		});
+	}
+
+	$( document ).on( 'heartbeat-tick.wp-auth-check', function( e, data ) {
+		if ( data['wp-auth-check'] && wrap.hasClass('hidden') ) {
+			show();
+		} else if ( ! data['wp-auth-check'] && ! wrap.hasClass('hidden') && ! wrap.data('logged-in') ) {
+			hide();
+		}
+	}).on( 'heartbeat-send.wp-auth-check', function( e, data ) {
+		data['wp-auth-check'] = 1;
+	}).ready( function() {
+		wrap = $('#wp-auth-check-wrap').data('logged-in', 0);
+		wrap.find('.wp-auth-check-close').on( 'click', function(e) {
+			hide();
+		});
+	});
+
+}(jQuery));
diff --git a/wp-includes/js/wp-auth-check.min.js b/wp-includes/js/wp-auth-check.min.js
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php
index ece253ddd5..903c5ba812 100644
--- a/wp-includes/script-loader.php
+++ b/wp-includes/script-loader.php
@@ -113,6 +113,11 @@ function wp_default_scripts( &$scripts ) {
 		apply_filters( 'heartbeat_settings', array() )
 	);
 
+	$scripts->add( 'wp-auth-check', "/wp-includes/js/wp-auth-check$suffix.js", array('heartbeat'), false, 1 );
+	did_action( 'init' ) && $scripts->localize( 'wp-auth-check', 'authcheckL10n', array(
+		'beforeunload' => __('Your session has expired. You can log in again from this page or go to the login page.'),
+	) );
+
 	$scripts->add( 'wp-lists', "/wp-includes/js/wp-lists$suffix.js", array( 'wp-ajax-response', 'jquery-color' ), false, 1 );
 
 	// WordPress no longer uses or bundles Prototype or script.aculo.us. These are now pulled from an external source.
@@ -543,6 +548,7 @@ function wp_default_styles( &$styles ) {
 	$styles->add( 'customize-controls', "/wp-admin/css/customize-controls$suffix.css", array( 'wp-admin', 'colors', 'ie' ) );
 	$styles->add( 'media-views', "/wp-includes/css/media-views$suffix.css", array( 'buttons' ) );
 	$styles->add( 'buttons', "/wp-includes/css/buttons$suffix.css" );
+	$styles->add( 'wp-auth-check', "/wp-includes/css/wp-auth-check$suffix.css" );
 
 	$styles->add( 'mediaelement', "/wp-includes/js/mediaelement/mediaelementplayer$suffix.css" );
 	$styles->add( 'wp-mediaelement', "/wp-includes/js/mediaelement/wp-mediaelement.css", array( 'mediaelement' ) );
diff --git a/wp-login.php b/wp-login.php
index 0c64fc5e64..13936adaea 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -48,10 +48,10 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
 		$wp_error = new WP_Error();
 
 	// Shake it!
-	$shake_error_codes = array( 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
+	$shake_error_codes = array( 'interim_login_error', 'empty_password', 'empty_email', 'invalid_email', 'invalidcombo', 'empty_username', 'invalid_username', 'incorrect_password' );
 	$shake_error_codes = apply_filters( 'shake_error_codes', $shake_error_codes );
 
-	if ( ! $interim_login && $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) )
+	if ( $shake_error_codes && $wp_error->get_error_code() && in_array( $wp_error->get_error_code(), $shake_error_codes ) )
 		add_action( 'login_head', 'wp_shake_js', 12 );
 
 	?><!DOCTYPE html>
@@ -100,6 +100,12 @@ function login_header($title = 'Log In', $message = '', $wp_error = '') {
 		// Don't allow interim logins to navigate away from the page.
 		$login_header_url = '#';
 		$classes[] = 'interim-login';
+		?>
+		<style type="text/css">html{background-color: transparent;}</style>
+		<?php
+
+		if ( 'success' ===  $interim_login )
+			$classes[] = 'interim-login-success';
 	}
 
 	$classes = apply_filters( 'login_body_class', $classes, $action );
@@ -624,6 +630,7 @@ default:
 	if ( !is_wp_error($user) && !$reauth ) {
 		if ( $interim_login ) {
 			$message = '<p class="message">' . __('You have logged in successfully.') . '</p>';
+			$interim_login = 'success';
 			login_header( '', $message ); ?>
 			</div>
 			<?php do_action( 'login_footer' ); ?>
@@ -648,29 +655,42 @@ default:
 	}
 
 	$errors = $user;
-	// Clear errors if loggedout or interim_login is set.
-	if ( !empty($_GET['loggedout']) || $reauth || $interim_login )
+	// Clear errors if loggedout is set.
+	if ( !empty($_GET['loggedout']) || $reauth )
 		$errors = new WP_Error();
 
 	// If cookies are disabled we can't log in even with a valid user+pass
 	if ( isset($_POST['testcookie']) && empty($_COOKIE[TEST_COOKIE]) )
 		$errors->add('test_cookie', __("<strong>ERROR</strong>: Cookies are blocked or not supported by your browser. You must <a href='http://www.google.com/cookies.html'>enable cookies</a> to use WordPress."));
 
-	// Some parts of this script use the main login form to display a message
-	if		( isset($_GET['loggedout']) && true == $_GET['loggedout'] )
-		$errors->add('loggedout', __('You are now logged out.'), 'message');
-	elseif	( isset($_GET['registration']) && 'disabled' == $_GET['registration'] )
-		$errors->add('registerdisabled', __('User registration is currently not allowed.'));
-	elseif	( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] )
-		$errors->add('confirm', __('Check your e-mail for the confirmation link.'), 'message');
-	elseif	( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] )
-		$errors->add('newpass', __('Check your e-mail for your new password.'), 'message');
-	elseif	( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] )
-		$errors->add('registered', __('Registration complete. Please check your e-mail.'), 'message');
-	elseif	( $interim_login )
-		$errors->add('expired', __('Please log in again. You will not move away from this page.'), 'message');
-	elseif ( strpos( $redirect_to, 'about.php?updated' ) )
-		$errors->add('updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to experience the awesomeness.' ), 'message' );
+	// Clear most errors if interim login
+	if ( $interim_login ) {
+		$error_code = $errors->get_error_code();
+		$errors = new WP_Error();
+
+		if ( $error_code ) {
+			if ( in_array( $error_code, array( 'empty_password', 'empty_username', 'invalid_username', 'incorrect_password' ) ) )
+				$errors->add('interim_login_error', __('<strong>ERROR</strong>: Invalid username or password.'));
+			else
+				$errors->add('interim_login_error_other', sprintf( __( '<strong>ERROR</strong>: Please contact the site administrator or try to <a href="%s" target="_blank">log in from a new window</a>.' ), wp_login_url() ) );
+		} else {
+			$errors->add('expired', __('Session expired. Please log in again. You will not move away from this page.'), 'message');
+		}
+	} else {
+		// Some parts of this script use the main login form to display a message
+		if		( isset($_GET['loggedout']) && true == $_GET['loggedout'] )
+			$errors->add('loggedout', __('You are now logged out.'), 'message');
+		elseif	( isset($_GET['registration']) && 'disabled' == $_GET['registration'] )
+			$errors->add('registerdisabled', __('User registration is currently not allowed.'));
+		elseif	( isset($_GET['checkemail']) && 'confirm' == $_GET['checkemail'] )
+			$errors->add('confirm', __('Check your e-mail for the confirmation link.'), 'message');
+		elseif	( isset($_GET['checkemail']) && 'newpass' == $_GET['checkemail'] )
+			$errors->add('newpass', __('Check your e-mail for your new password.'), 'message');
+		elseif	( isset($_GET['checkemail']) && 'registered' == $_GET['checkemail'] )
+			$errors->add('registered', __('Registration complete. Please check your e-mail.'), 'message');
+		elseif ( strpos( $redirect_to, 'about.php?updated' ) )
+			$errors->add('updated', __( '<strong>You have successfully updated WordPress!</strong> Please log back in to experience the awesomeness.' ), 'message' );
+	}
 
 	// Clear any stale cookies.
 	if ( $reauth )