-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix scorm xblock x frame options #35080
Conversation
6f832a1
to
a2c3ac7
Compare
… sameorigin for certain urls
Use wildcards fit for local debugging or stage/prod operation
Use wildcards fit for local debugging or stage/prod operation
c63c2fa
to
99b0af5
Compare
Unfortunately I just don't have time to do a proper review, but here are some assorted notes after a quick skim:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Temporarily adding a request changes review simply so it is clear that this should not merge as-is. We can discuss next steps as needed. Thank you.
Closed in favor of https://github.com/edx/edx-internal/compare/chore--add-csp-settings-to-stage?expand=1 |
Bookkeeping note: That edx-internal branch corresponds to PR https://github.com/edx/edx-internal/pull/11477 (branch was deleted after merge) |
TL;DR
This adds support for the SCORM xblock at its latest version. Via that xblock, this allows to use SCORM blocks in courses.
This is done via a Content-Security-Policy (CSP) but only for specific endpoints.
Description
To support SCORM Connect, we need to update The SCORM xblock to the latest version (> 18) because that fixes a bug where the SCORM API does not provide learner_id.
When we initially tried to update this xblock, we learned that SCORM does not work on edx-platform with the default config of setting the
X-Frame-Options
response header to "DENY", because the SCORM xblock uses an iframe and that header disallows framing content.To prevent clickjacking, either a
Content-Security-Policy
header with theframe-ancestors
key must be in place, orX-Frame-Options
must be set to "DENY" or "SAMEORIGIN".X-Frame-Options
: "SAMEORIGIN" is insufficient because we need to allow framing content by our Microfrontends, which have different-origin URLs.So here we add a Content-Security-Policy header, but only to specific endpoints, because we don't want to make sweeping changes to edx-platform responses unless necessary.
To achieve this, we copied the Content-Security-Policy middleware from edx-django-utils and then modified the copy so that it allows adding different CSPs to specific endpoints via url regex matching.
Supporting information
Testing instructions
edx-test-course-scorm-connect--scorm-test-pano--edXSCORMcourses--scorm-2004 (1).zip
ContentPackagingSingleSCO_SCORM12.zip
make dev.shell.lms
(or cms)make requirements
pip install openedx-scorm-xblock
-> check that this is version > 18make dev.restart-container.lms
(or cms)Deadline
We'd like to deploy this to stage if possible Monday morning.
Other information
There's plenty of background info about SCORM Connect and why we're trying to support it if needed, just reach out to @jesperhodge .