Uploaded image for project: 'Moodle app'
  1. Moodle app
  2. MOBILE-4604

Non-partitioned cookies are set when retrieving the site logo breaking session when trying to embed iframes

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 4.4.0
    • 4.3.0
    • Android
    • Hide

      This issue should be tested by a developer since it requires inspecting the app.

      Test embedded files

      1. Install the app in an Android device that didn't have the app already installed.
      2. Open the Inspector, go to Application > Cookies > http://localhost and check that no cookie is dislayed.
      3. In the app, search some sites in the sites finder. Check that no cookie is displayed in the inspector. Check that the logos displayed for the sites (when its not the Moodle logo) are loaded from a local URL, not from the original URL.
      4. Now go to login to our master site. In the credentials page, check that the logo is displayed. Check that no cookie is displayed in the inspector. Check that the logo is loaded from a local URL, not from the original URL.
      5. Login in the site and open the user menu. Check that the logo is displayed. Check that no cookie is displayed in the inspector. Check that the logo is loaded from a local URL, not from the original URL.
      6. Open "MM Dev Testing course > Resouce: URL > Embedded image using pluginfile.php copied from another place" (right now it's the last one). Check that the image is displayed. Check that a MoodleSession cookie is displayed in the inspector and it has a "Partition key". Check that the image is loaded either using tokenpluginfile or webservice/pluginfile.

      Test InAppBrowser

      1. In the Android app, login in with a user that needs to change his password (force password change). 
      2. Click to "Change password", the IAB will open with the page to edit the settings.
      3. Logout in the InAppBrowser and then close the InAppBrowser.
      4. Open the Inspector, go to Application > Cookies > http://localhost and check that there is a MoodleSession cookie and it doesn't have a "Partition key" (it was set when you logged out in the IAB).
      5. Wait for the auto-login time (in our master site it's 1 minute).
      6. Click "Reconnect".
      7. Click "Change password" again. Check that the IAB opens with the page to edit the settings. You shouldn't see a message saying that you already logged in.

      Test iOS

      1. Install the app in an iOS device.
      2. In the app, search some sites in the sites finder. Check that the logos displayed for the sites (when its not the Moodle logo) are loaded using an online URL, not a local URL (the opposite of what Android does).
      3. Now go to login to our master site. In the credentials page, check that the logo is displayed. Check that the logo is loaded from the original URL, not from a local URL.
      Show
      This issue should be tested by a developer since it requires inspecting the app. Test embedded files Install the app in an Android device that didn't have the app already installed. Open the Inspector, go to Application > Cookies > http://localhost and check that no cookie is dislayed. In the app, search some sites in the sites finder. Check that no cookie is displayed in the inspector. Check that the logos displayed for the sites (when its not the Moodle logo) are loaded from a local URL, not from the original URL. Now go to login to our master site. In the credentials page, check that the logo is displayed. Check that no cookie is displayed in the inspector. Check that the logo is loaded from a local URL, not from the original URL. Login in the site and open the user menu. Check that the logo is displayed. Check that no cookie is displayed in the inspector. Check that the logo is loaded from a local URL, not from the original URL. Open "MM Dev Testing course > Resouce: URL > Embedded image using pluginfile.php copied from another place" (right now it's the last one). Check that the image is displayed. Check that a MoodleSession cookie is displayed in the inspector and it has a "Partition key". Check that the image is loaded either using tokenpluginfile or webservice/pluginfile. Test InAppBrowser In the Android app, login in with a user that needs to change his password (force password change).  Click to "Change password", the IAB will open with the page to edit the settings. Logout in the InAppBrowser and then close the InAppBrowser. Open the Inspector, go to Application > Cookies > http://localhost and check that there is a MoodleSession cookie and it doesn't have a "Partition key" (it was set when you logged out in the IAB). Wait for the auto-login time (in our master site it's 1 minute). Click "Reconnect". Click "Change password" again. Check that the IAB opens with the page to edit the settings. You shouldn't see a message saying that you already logged in. Test iOS Install the app in an iOS device. In the app, search some sites in the sites finder. Check that the logos displayed for the sites (when its not the Moodle logo) are loaded using an online URL, not a local URL (the opposite of what Android does). Now go to login to our master site. In the credentials page, check that the logo is displayed. Check that the logo is loaded from the original URL, not from a local URL.
    • MOODLE_403_STABLE
    • MOODLE_404_STABLE
    • Moodle Apps - 2024 i2.1, Moodle Apps - 2024 i2.2

      This needs to be solved in LMS but meanwhile we need to at least try to handle some of the most typical use cases.

      This affects any embedded media in the app that doesn't use core-external-content, like the site logo. These are the places that I detected that embed resources that can be online and we don't use core-external-content:

      • mod_url configured to embed an image, audio or video. Using core-external-content means that the file will be downloaded.
      • Grades: in grades we can display image (row.image / grade.image).
      • Site logo in several places: user menu, credentials page, reconnect page, site finder (next to the site in the results).
      • Login providers logos (OAuth), we display the icon in the OAuth button.

       

      Decisions taken:

      • For mod_url, we'll fix the URL if needed to use tokenpluginfile or webservice/pluginfile. It won't be downloaded.
      • For grades, we will use external-content to download the images like we do with mod icons.
      • For site logo, if the user is already authenticated we'll use core-external-content to download the logo. When user isn't authenticated, we'll fetch/download the logo and display it locally (either from a local URL or from a data URL, depending what's easier).
      • For OAuth logos, we won't do anything because they shouldn't use pluginfile.php endpoint.
      • Also, we noticed that the cookie can cause problems when opening InAppBrowser with auto-login, so we decided to clear the session cache when opening an InAppBrowser with auto-login in Android.

        1. ios-testing-login-logo.png
          ios-testing-login-logo.png
          212 kB
        2. screenshot-1.png
          screenshot-1.png
          410 kB
        3. screenshot-2.png
          screenshot-2.png
          106 kB

            dpalou Dani Palou
            jleyva Juan Leyva
            Pau Ferrer Pau Ferrer
            Juan Leyva Juan Leyva
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.