Merge pull request #11607 from CredoReference/invalid-display-coursew…

…are-through-lti-iframe Invalid display courseware through the LTI iframe in IE 10+
openedx · Mar 4, 2016 · 56ecc66 · 56ecc66
2 parents 01e6fa8 + ca82f14
commit 56ecc66
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 0 deletions.
diff --git a/cms/envs/common.py b/cms/envs/common.py
@@ -358,6 +358,9 @@
 # Clickjacking protection can be enabled by setting this to 'DENY'
 X_FRAME_OPTIONS = 'ALLOW'
 
+# Platform for Privacy Preferences header
+P3P_HEADER = 'CP="Open EdX does not have a P3P policy."'
+
 ############# XBlock Configuration ##########
 
 # Import after sys.path fixup

diff --git a/common/djangoapps/util/views.py b/common/djangoapps/util/views.py
@@ -374,3 +374,22 @@ def accepts(request, media_type):
     """Return whether this request has an Accept header that matches type"""
     accept = parse_accept_header(request.META.get("HTTP_ACCEPT", ""))
     return media_type in [t for (t, p, q) in accept]
+
+
+def add_p3p_header(view_func):
+    """
+    This decorator should only be used with views which may be displayed through the iframe.
+    It adds additional headers to response and therefore gives IE browsers an ability to save cookies inside the iframe
+    Details:
+    http://blogs.msdn.com/b/ieinternals/archive/2013/09/17/simple-introduction-to-p3p-cookie-blocking-frame.aspx
+    http://stackoverflow.com/questions/8048306/what-is-the-most-broad-p3p-header-that-will-work-with-ie
+    """
+    @wraps(view_func)
+    def inner(request, *args, **kwargs):
+        """
+        Helper function
+        """
+        response = view_func(request, *args, **kwargs)
+        response['P3P'] = settings.P3P_HEADER
+        return response
+    return inner
diff --git a/lms/djangoapps/lti_provider/views.py b/lms/djangoapps/lti_provider/views.py
@@ -14,6 +14,7 @@
 from lms_xblock.runtime import unquote_slashes
 from opaque_keys.edx.keys import CourseKey, UsageKey
 from opaque_keys import InvalidKeyError
+from util.views import add_p3p_header
 
 log = logging.getLogger("edx.lti_provider")
 
@@ -32,6 +33,7 @@
 
 
 @csrf_exempt
+@add_p3p_header
 def lti_launch(request, course_id, usage_id):
     """
     Endpoint for all requests to embed edX content via the LTI protocol. This

diff --git a/lms/envs/common.py b/lms/envs/common.py
@@ -1163,6 +1163,9 @@
 # Clickjacking protection can be enabled by setting this to 'DENY'
 X_FRAME_OPTIONS = 'ALLOW'
 
+# Platform for Privacy Preferences header
+P3P_HEADER = 'CP="Open EdX does not have a P3P policy."'
+
 ############################### PIPELINE #######################################
 
 PIPELINE_ENABLED = True