Invalid display courseware through the LTI iframe in IE 10+ #11607
Conversation
|
Thanks for the pull request, @strannikk! I've created OSPR-1153 to keep track of it in JIRA. JIRA is a place for product owners to prioritize feature reviews by the engineering development teams. Feel free to add as much of the following information to the ticket:
All technical communication about the code itself will still be done via the GitHub pull request interface. As a reminder, our process documentation is here. If you like, you can add yourself to the AUTHORS file for this repo, though that isn't required. Please see the CONTRIBUTING file for more information. |
openedx-webhooks
added
open-source-contribution
|
jenkins run bokchoy |
| # this header should be used to save CSRF cookies in IE 10+ browser | ||
| # in case of display courseware through the iframe | ||
| # http://blogs.msdn.com/b/ieinternals/archive/2013/09/17/simple-introduction-to-p3p-cookie-blocking-frame.aspx | ||
| resp['P3P'] = 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"' |
There was a problem hiding this comment.
@strannikk How did you come to define this P3P policy?
There was a problem hiding this comment.
@douglashall What do you mean? If you asking about the P3P value I've taken it from the blog article where this problem was described. This issue is very popular and could be found in many internet articles (for example on stackoverflow).
There was a problem hiding this comment.
@strannikk Sorry, I am not entirely familiar with P3P and I am wondering if there is a good resource which describes each of the policy values you have listed here.
There was a problem hiding this comment.
@strannikk Can you move the addition of this header to a Python decorator and apply the decorator to this function? Also, the policy value should be moved to a Django setting in lms/envs/common.py.
There was a problem hiding this comment.
@strannikk I think we should do something similar to what Facebook and Google are doing for the P3P policy, a plain-text explanation that we do not have a P3P policy. See http://stackoverflow.com/questions/8048306/what-is-the-most-broad-p3p-header-that-will-work-with-ie
There was a problem hiding this comment.
@douglashall Not sure. I believe in this case LTI in IE will not work properly...
There was a problem hiding this comment.
@douglashall Sorry. I've read the solutions on the stackoverflow. Ok. I'll try to use the facebook approach. Let's see how it turns out.
There was a problem hiding this comment.
Thanks @strannikk. I have tried the following locally with a Canvas consumer and it seems to work.
resp['P3P'] = 'CP="Open EdX does not have a P3P policy."'
dmitry-viskov
force-pushed
the
invalid-display-courseware-through-lti-iframe
branch
from
c04ff38 to
be2df68
Compare
|
@douglashall I've updated the PR according your comments |
…ndering properly. The problems render properly in IE 10 & 11 when using edX directly, or when opening LTI in a new tab. This is reproducible in Canvas and D2L
dmitry-viskov
force-pushed
the
invalid-display-courseware-through-lti-iframe
branch
from
be2df68 to
ca82f14
Compare
|
👍 |
|
@robrap Can you give this a second thumb? I have tested this locally and it looks good. |
| @@ -358,6 +358,9 @@ | |||
| # Clickjacking protection can be enabled by setting this to 'DENY' | |||
| X_FRAME_OPTIONS = 'ALLOW' | |||
|
|
|||
| # Platform for Privacy Preferences header | |||
| P3P_HEADER = 'CP="Open EdX does not have a P3P policy."' | |||
There was a problem hiding this comment.
@douglashall I think we should tag someone (who?) on legal based on the following blog article.
https://blogs.msdn.microsoft.com/ie/2012/02/20/google-bypassing-user-privacy-settings/
Thoughts?
Other than that, it looks fine.
There was a problem hiding this comment.
FWIW that article was written in 2012 and I think things have evolved since then. From the research I have done, P3P seems to be a dead standard that no one except for IE implements. @smagoun Is there someone in legal who can/should look at this?
There was a problem hiding this comment.
@douglashall I did a quick search/read on my commute. If what you say is true, I'd say we shouldn't waste much time on this and I would give it a 👍 . What do you think?
|
@douglashall Do I need to move decorator to |
|
@strannikk Yes, I removed that comment after thinking about it some more. I think the location you chose is the right one. FYI, we need to run the P3P policy by our legal team here. More to come soon. Thanks again for raising this issue and putting in the fix. |
|
Microsoft has dropped support for P3P on all versions of IE on Windows 10. https://msdn.microsoft.com/en-us/library/mt146424(v=vs.85).aspx |
…are-through-lti-iframe Invalid display courseware through the LTI iframe in IE 10+
When using in-frame LTI navigation in IE 10 & 11, problems are not rendering properly. The problems render properly in IE 10 & 11 when using edX directly, or when opening LTI in a new tab. This is reproducible in Canvas and D2L:
This problem happens because in iframe JS couldn't get Cookie for the CSRF protection and sends always
null:So per every such question LTI server returns HTTP 403:
instead of:
It is connected with the cookie-restricting privacy feature called P3P. More details can be found here: http://blogs.msdn.com/b/ieinternals/archive/2013/09/17/simple-introduction-to-p3p-cookie-blocking-frame.aspx
I'v created a little fix. You could see it in this pull request. I know only one case of using iframe to display courseware so I'm not sure that this fix should be applied only for the LTI views. May be it should be used globally for all other entry points.
Display questions after the fix: