I have recently configured a CDN through Nexcess, our hosting provider, for our Magento store. I originally did this only for media images but recently moved the theme/skin files over the CDN as well. This seems to be working great on the frontend, but I've noticed a problem in the admin. If I try to upload product images it fails after selecting the file in the popup. It never shows me the extra box where I select which type of image it is and plete the upload. This is only a problem when the unsecure skin URL is pointed at the CDN. If I point it locally again, everything works fine.

My guess is that it has something to do with the javascript that lives in the skin folders. Some JS is theme based rather than being in the root js/ folder, and I know that sometimes remotely hosted javascript can be an issue. Our CDN URL is in our subdomain, though, so I would imagine that would be okay but I just don't know enough about this stuff.

Has anyone run into this or a similar problem? Any ideas?

I have recently configured a CDN through Nexcess, our hosting provider, for our Magento store. I originally did this only for media images but recently moved the theme/skin files over the CDN as well. This seems to be working great on the frontend, but I've noticed a problem in the admin. If I try to upload product images it fails after selecting the file in the popup. It never shows me the extra box where I select which type of image it is and plete the upload. This is only a problem when the unsecure skin URL is pointed at the CDN. If I point it locally again, everything works fine.

My guess is that it has something to do with the javascript that lives in the skin folders. Some JS is theme based rather than being in the root js/ folder, and I know that sometimes remotely hosted javascript can be an issue. Our CDN URL is in our subdomain, though, so I would imagine that would be okay but I just don't know enough about this stuff.

Has anyone run into this or a similar problem? Any ideas?

• javascript
• magento
• cdn

• is your admin area using SSL? – Ian Commented Jul 11, 2011 at 23:53
• @Ian, its related to XSS rather than SSL, see answers below. This is an annoying issue! – Jonathan Day Commented Jul 12, 2011 at 1:26
• 1 @Jonathan Day, I ask because going between https and http is usually considered "cross-site" and triggers XSS security protections. See en.wikipedia/wiki/Same_origin_policy . Flash uses a similar policy. – Ian Commented Jul 12, 2011 at 2:00

3 Answers 3

@clockworkgeek is right, it is related to a security restriction (XSS I believe). One option that doesn't require installing a module is to specify that only your frontend website serves its JS from the CDN, which means that admin-side JS will e from the server preventing the XSS issue.

To achieve this, change the website scope in the System>Config>Web section of the admin to your frontend store, untick the "Use Website" checkbox and set the "Base JavaScript URL" to the CDN. Change the scope back to "Default Config" and set the "Base Javascript URL" to {{unsecure_base_url}}js/

Hope this helps,
JD

There is an easier solution. You can have different Base URLs for backend and websites. While Magento backend always uses the default config scope, the individual websites can be different.

1. Go to System>General>web>Unsecure. Make sure Current Config Scope is Default
2. Base Skin URL = {{unsecure_base_url}}skin/
3. Base Media URL = your CDN URL for media
4. Base JavaScript URL = {{unsecure_base_url}}js/
5. Save Config
6. Change Current Config Scope to you preferred website
7. Base Skin URL = your CDN URL for static
8. Base Media URL = your CDN URL for media
9. Base JavaScript URL = your CDN URL for static

No problems with Upload button

I have experienced this and it is caused by a security (?!!) check in the flash uploader. The base, link, skin and media domains must be the same for it to progress.

The quick solution is to use No Flash Image Uploader.

From what I remember of the lib/flex/uploader source files (they are open source too) only the admin domains need to match. The admin uses the 'global' configuration so you can try putting the CDN details in the 'website' scope only. To switch between them use the 'configuration scope' select box in the top left corner of the configuration page.