** Changed in: mahara
Milestone: 17.10.0 => 18.04.0
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1677068
Title:
Move from X-Frame-Options to Content-Security-Policy
Status in Mahara:
Confirmed
Bug description:
Currently one cannot embed Mahara within an iframe on third party site
This is due to:
X-Frame-Options = SAMEORIGIN
(see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)
And we can't allow specific external sites to embed mahara in an
iframe (well at least not for all major browsers)
But good news there is: Content-Security-Policy
(see: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
Where we can specify which domains are allowed to show which things
But bad news - to get it to work we'd need to do bad things in relation to
inline javascript
(see:
https://www.html5rocks.com/en/tutorials/security/content-security-policy/)
Also we'd need to detect that we are in an external iframe before the
page loads so we can set the headers to allow the correct external
site (via init.php)
Currently we set the headers after $session starts and before we enable the
$USER object
So we'd need to add something to detect that we are in an iframe on an
external site and that site is allowed to do this.
NOTE: some of our pages load in iframes themselves (via pieform
submission)
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1677068/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
