Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64281

Always allow frame embedding for requests coming from the Moodle app

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      Prerequisite
      1. Moodle mobile app.
      2. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following:
        • Ensure that the phone with the mobile app and the web server are on the same network. Or
        • Expose the web server over the internet via ngrok.
      Test
      1. As admin, go to "Administration -> Security -> HTTP security" and check that the "Allow frame embedding" setting is disabled (not ticked). Verify that the help text for the setting includes a note about "mobile app".
      2. In any course, create a new "Page resource" including this HTML code (you have to switch to the html view). Please, replace the src attribute with the correct path to your installation

        <iframe src="http://192.168.1.156/m/stable_master/admin/tool/policy/viewall.php" width="100%"></iframe>
        

      3. Save and check that you see the page resource with the iframe contains (the iframe contains it is a page listing the site policies configured, it may display a empty list if no policies configured)
      4. As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings
      5. Access with the mobile app to the site using any user account that has access to the page resource you created
      6. Check that the app displays the iframe contents (it may take a few seconds to load the page)
      Show
      Prerequisite Moodle mobile app. Your Moodle mobile app should be able to connect to your Moodle website. You can either do the following: Ensure that the phone with the mobile app and the web server are on the same network. Or Expose the web server over the internet via ngrok. Test As admin, go to "Administration -> Security -> HTTP security" and check that the "Allow frame embedding" setting is disabled (not ticked). Verify that the help text for the setting includes a note about "mobile app". In any course, create a new "Page resource" including this HTML code (you have to switch to the html view). Please, replace the src attribute with the correct path to your installation <iframe src="http://192.168.1.156/m/stable_master/admin/tool/policy/viewall.php" width="100%"></iframe> Save and check that you see the page resource with the iframe contains (the iframe contains it is a page listing the site policies configured, it may display a empty list if no policies configured) As admin, enable "Mobile services": Site administration ► Mobile app ► Mobile settings Access with the mobile app to the site using any user account that has access to the page resource you created Check that the app displays the iframe contents (it may take a few seconds to load the page)
    • Affected Branches:
      MOODLE_36_STABLE, MOODLE_37_STABLE
    • Fixed Branches:
      MOODLE_37_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-64281-master

      Description

      There are several cases where we need to embed (via iframes) the Moodle site on the app:

      • Vimeo restricted videos (so the Referer of the request to Vimeo servers come from the site)
      • When using custom embedded menu items
      • When someone using the h5p module embed an activity
        etc...

      Right now, the only way to make those frames to work on the app is having the allowframeembedding setting enabled, but this may be risky on some situations and some admins don't enable it so the mobile experience is very poor.

      To solve this, we must allow frame embedding for requests coming from the app. There is an easy way to do this, we can use the UserAgent header in the original request (as part of the UserAgent the word MoodleMobile is always present).

      This should be super safe, because the UserAgent header is not writable via Javascript (can be changed only using a Chrome extension or using your own browser)

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  20/May/19

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 35 minutes
                  35m