Alex

I had forgotten I was applying the content-mask-admin body class to the edit page as well (for some styles regarding the Mask column shown in the table), which is where using something like .inner was causing issues.

I’ve pushed out a small update to 1.8.2.6 that should take care of that.

Thanks for pointing that out!

“This is dumb”: No need to be negative when something doesn’t fit your use-case. I’m happy to take feature requests into account, but the fact that this is a free plugin with no monetization means it’s not something that goes right to the top of my priority list.

“why only manual masking”: It works the way it works because it’s how I needed it to work. The original use-case for Content Mask was to drop in individual landing pages built on external tools into one page on a WordPress site, which is why it’s (currently) one page on one URL, one at a time.

If you could, can you enlighten me on what exactly you’d like to see, I can see if it’s something I can incorporate.

That link that you sent is showing a 404 page, so I can’t attest to what you’re seeing, but it almost sounds like you have some caching set up on the front end.

It sounds like you used the “Download” method, which fetches the remote URL and pulls in the content and stores it as a Transient.

Nothing on your page is ever changed, per se. That is to say, that it doesn’t bring the remote content into your page editor (there’d be no way to integrate it outside of an HTML block, at which point you should just copy/paste it anyways). That’s why you don’t see anything in the editor.

If you simply turn the Content Mask off by toggling the checkmark, the function that runs on template redirect hook will abort, causing the content from the page editor to display once again. Here’s a quick 40 sec video showing what I mean: https://www.loom.com/share/8d5787375d70499dbba316dde133d38c

This is actually an issue with iframes (and how the digistore24.com website) implement cross-domain security policy details. I’ve outlined a similar issue in this support thread:

https://www.ads-software.com/support/topic/content-mask-not-loading-url/

The key takeaways are that you either need to:

A) The first, and best, option is to contact the sites in question that you would like to iframe, and request they don’t use the X-Frame-Options: SAMEORIGIN header, and instead use a Content-Security-Policy header and add your website to their policy directives list. Websites use one or both of these headers to help mitigate malicious actors including those attempting Clickjacking attacks. I’ve actually got a simple test on my website that lets you see if a website is using either of those header options.

or

B) Attempt to use the download method. This may not work particularly well with multi-page/step processes though unless they’re specifically designed for it

I wish it was something I could solve with an update to Content Mask, but alas it’s something you’ll need to get in touch with the website owners about and get them to add your domain to the Content Security Policy Directive of their site (and not use the SAMEORIGIN X-Frame-Options header).

The last option would be to just use the 301 Redirect option available in Content Mask, though it’s not nearly as elegant because it doesn’t show your URL in the address bar as soon as they access the content.

Hope that helps clarify it a little bit!

Would you be able to send a video of exactly what’s happening? Also if you open Dev Tools (F12 in Chrome), go to the Network Tab, and click on the icon, it should make a single XHR request that shows up in your logs: https://www.loom.com/share/ee00d4e47f474ce4bbd3278c44906aa6?from_recorder=1&focus_title=1

Can you let me know what that log shows? It should show a simple JSON payload of “Content Masking now [state] for [post_type]” with a status of 200. It may be receiving “No Values Detected” or “Unauthorized Values Detected”

Also if you could right click on one of them (that’s not working ideally) and choose inspect element, and send me a screenshot of it like this (fully opened in the element tree view) that would be helpful! https://i.imgur.com/DZuSceY.png

I’ve installed the new update on a handful of new sites, including localhost sites, and every request has gone through as intended to enable/disable it.

You can send those screenshots/video links/anything else to me at [email protected] and I’ll be happy to take a look!

I pushed out an update to version 1.8.2.4 that should a) prevent those warnings from showing, and b) added a “Post Type” selector in the Content Mask > Options page for all public post types.

Clicking on the X for a Post Type will now hide the Content Mask meta box on the editor page, as well as prevent any page-processing for that post type on the front end.

Let me know if anything isn’t working as expected!

Currently there’s not a way to disable it for Custom Post Types, but that’s actually a great idea – I’ll work on an update and get that added in there ASAP!

As for the errors, you may have WP_DEBUG mode or error_reporting enabled. However those are also errors I can account for in the plugin itself. Give me a few moments and I’ll get a preliminary update out that fixes that

This isn’t a Content Mask issue, but rather an issue with how your website (NorthDallasSEO.com) has its SSL setup.

Since you do have a valid SSL certificate, you should change your Site URL and Home URL to https://northdallasseo.com/maxpride (either in your wp-admin > Settings > General, or your wp-config.php file), and perhaps even add in a secure redirect rule to your .htaccess file like:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Some browsers (and settings within those browsers) will try to force SSL, some won’t. It’s best to set up your site to redirect users the the secure version yourself so it’s not reliant on the browser.

• This reply was modified 3 years, 10 months ago by Alex.

Hi there, I’m happy to try and help with this!

Unfortunately, it appears you’re running into the crux of an issue with iframes in general. Three of the websites you’ve listed have either set a header called X-Frame-Options to SAMEORIGIN and/or set a Content-Security-Policy that does not include your domain in the directives list.

The fourth website is using the insecure https:// protocol, and if you’re using the secure https:// protocol, no browser will show that website due to insecure content policy changes made a few years ago. Content Mask attempts to alleviate this by force-upgrading the iframe to https:// when used on a secure site, but if the site in question doesn’t have a valid SSL certificate, it still won’t show (it wouldn’t have shown anyways, so there’s nothing to lose when trying to upgrade the protocol).

This leaves you with two options:

The first, and best, option is to contact the sites in question that you would like to iframe, and request they don’t use the X-Frame-Options: SAMEORIGIN header, and instead use a Content-Security-Policy header and add your website to their policy directives list. Websites use one or both of these headers to help mitigate malicious actors including those attempting Clickjacking attacks. I’ve actually got a simple test on

that you can put a URL in to check if it’s using a CSP or XFO header.

The second option would be to instead use the download method instead of the iframe option. This can cause some issues with forms and things though, so it’s really more of a fallback, as generally if you’ve got license/rights to use the content, the owner can add your domain to their CSP header. It’s intended more as a fallback for people using a SaaS solution where the owner of the page content isn’t also the host/provider for the solution (such as landing pages and things of that nature).

The last option, if you’re unable to get added to the CSP headers and the download method doesn’t work, would be to just use the 301 Redirect option, which isn’t as graceful as it no longer shows your URL, but still gets your visitors to the intended content.

I hope that helps clarify things a bit!

Hi there!

Unfortunately you’ve unmasked one of the issues of using non-integrated URLs in a work flow. This isn’t really something that can be solved with Content Mask, this is something that would need to be set up on the unmasked source in how the web form is processed.

On the unmasked source, you’ll need to handle the masked url separately (such as detecting the URL the form was submitted from, and whether or not it was framed, and then process the entry/redirect accordingly).

Without filling out the form on the masked url, I’m not able to see exactly what’s happening, but generally you’ll need to handle the url separately, and depending on whether the content was Iframed or Downloaded, that can differ as well.

Great, glad we were able to get it sorted!

Hi there, which version of Content Mask are you using? A few versions ago there was an issue with the cache not clearing, but it’s been fixed for quite a while.

If you need to forcefully clear a cache, you have a few options:

1) Go to the “Content Mask” admin page, go to the three dots on the right hand side of the masked page to pull up the sub-menu, and click “Refresh Transient”.

2) Go to the actual “Edit” page for the page you have masked, and just click update. That should force a refresh.

3) Add a query string parameter to the Content Mask URL. Change it from “example.com” to anything like “example.com?v=1”, or if you have a query string on the URL already, just add anything else “example.com?foo=bar&v=1”. That should treat it as an entirely new page and grab a fresh copy.

Let me know if any of those don’t work!

Hey there! Can you let me know what browser and operating system you’re using? I’ve tried it in Brave, Chrome, and Firefox on Windows 10, as well as Brave/Chrome on Android and I everything looks great. Can you also try it in a Private/Incognito window of whatever browser you’re using to see if the issue persists there as well?

Sincerely, thank you so much for the donation and the encouragement!

I had never even considered using Content Mask to turn Google Slides into a pseudo-site like that, that’s really fantastic. Sentiment like yours is what really keeps me going with this. Again, I sincerely appreciate it and am glad you’re getting use out of the plugin – the site is absolutely brilliant by the way!

Would you be able to share a screenshot of what’s happening when you try to log in? I can see the page is loading alright. Some pages don’t allow themselves to be iframed or masked, or only whitelist certain IP Addresses to serve assets to or parse form requests from. A more secure system may only allow login attempts from their own IP Address.

Without seeing the actual error when you log in, all I can do is speculate though