Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69295

Clarify or prevent possible data collection via campaign iframe

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.9.1
    • Fix Version/s: None
    • Component/s: Administration
    • Labels:
      None
    • Affected Branches:
      MOODLE_39_STABLE

      Description

      The campaign content iframe makes a request to campaign.moodle.org without preventing the referrer from being shared. That exposes the wwwroot of the Moodle site, which could be collected for statistics. Moreover, the request being made through an iframe, the IP address of the end-user could also be collected.

      I don't have any issue with that information from being collected, but I think it would be fair to inform that this could be the case, especially as this feature can only be disabled by editing config.php.

      This sentiment is reinforced by the content displayed right above the campaign banner, relating to the feedback feature (that is opt-in).

      Moodle HQ strives to be open and transparent about its data collection practices. Thus, we want to make sure that you are aware and in control of this functionality.

      If data does not need to be collected, adding referrerpolicy="no-referrer" to the iframe will prevent the wwwroot from being shared. To avoid sharing the user's IP address, however, the only option would be to make the request server-side, but then displaying the content has security implications. Though I believe the IP address is not really an issue if wwwroot is not shared, as a real person would hardly be identifiable.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            fred Frédéric Massart
            Participants:
            Component watchers:
            Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: