• Hi,

    On a Multisite installation with Domain Mapping, after switching the network domain and all sites to HTTPS, I’m now facing a problem with Jetpack. It’s no longer possible to enable/disable modules or even disconnect. I can force a site disconnect/reconnect from the Network admin but cannot reconnect again from any site admin itself.

    Trying to connect directs me to a 404 page with an URL like https://network.dom/sitename/wp-admin/&from=landing-page-top

    Console sais something interesting:

    
    https://network.domain/sitename/wp-admin/admin.php?page=jetpack#/settings : Fetch API cannot load https://mapped.domain/wp-json/jetpack/v4/connection/url. Request header field x-wp-nonce is not allowed by Access-Control-Allow-Headers in preflight response.
    

    (notice the mapped domain is used for the API endpoint)

    And after a forced reconnect from the Network admin, I cannot enable or disable modules. I get a “… failed to activate. TypeError: Failed to fetch” message and console warns about the Access-Control-Allow-Headers issue again.

    Now my question is this: would adding a rule like

    
    Header add Access-Control-Allow-Origin "*"
    

    to the .htaccess solve this or would it open up all kinds of security issues?

    Thanks for any tips ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • On closer inspection, it seems about the header field “x-wp-nonce” not being allowed.

    So I tried adding this to .htaccess:

    
    Header add Access-Control-Allow-Headers "x-wp-nonce"
    

    This change the errors in Console to many like these:

    
    GET https://mapped.domain/wp-json/jetpack/v4/connection/url 403 (Forbidden)
    GET https://mapped.domain/wp-json/jetpack/v4/module/protect/data  403 (Forbidden)
    ...
    

    When trying to activate a module, the error shown by Jetpack is about an invalid cookie nonce:

    échec de l’activation de Stats. Error: Le nonce du cookie n’est pas valide

    Plugin Author Jeremy Herve

    (@jeherve)

    Jetpack Mechanic ??

    When trying to activate a module, the error shown by Jetpack is about an invalid cookie nonce:

    What happens if you now log out of your site, and then log back in? Does it help?

    Hi Jeremy, indeed two days later logging back in, it al works.

    So can we conclude that adding the Access-Control-Allow-Headers “x-wp-nonce” to .htaccess was indeed needed? Seems strange… Is it only the Chrome browser that is extra strict about this kind of thing over SSL or is this not uncommon? Or is it the web host? It’s a shared hosting package at OVH…

    Plugin Author Jeremy Herve

    (@jeherve)

    Jetpack Mechanic ??

    can we conclude that adding the Access-Control-Allow-Headers “x-wp-nonce” to .htaccess was indeed needed?

    Since Jetpack uses nonces with each REST API request, you do indeed need to be able to include those nonces in the request header thanks to X-WP-Nonce.

    That header is usually included, but your hosting provider has a specific setup and that value was most likely removed or not included by default when the requests go through their load balancing system..

    OK thanks Jeremy, I’ll create a support ticket at OVH and request they allow X-WP-Nonce ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘TypeError: Failed to fetch’ is closed to new replies.