Merge pull request #11607 from CredoReference/invalid-display-courseware-through-lti-iframe

Invalid display courseware through the LTI iframe in IE 10+

Merge pull request #11607 from CredoReference/invalid-display-courseware-through-lti-iframe
Invalid display courseware through the LTI iframe in IE 10+
56ecc664 · Douglas Hall · 01e6fa81 · ca82f143 · 56ecc664 · 56ecc664
Commit 56ecc664 authored Mar 04, 2016 by Douglas Hall
Show whitespace changes
Inline Side-by-side

Showing with 27 additions and 0 deletions

cms/envs/common.py
+3 -0

common/djangoapps/util/views.py
+19 -0

lms/djangoapps/lti_provider/views.py
+2 -0

lms/envs/common.py
+3 -0

No files found.
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -358,6 +358,9 @@ MIDDLEWARE_CLASSES = (
 # Clickjacking protection can be enabled by setting this to 'DENY'
 X_FRAME_OPTIONS = 'ALLOW'

+# Platform for Privacy Preferences header
+P3P_HEADER = 'CP="Open EdX does not have a P3P policy."'
+
 ############# XBlock Configuration ##########

 # Import after sys.path fixup

--- a/common/djangoapps/util/views.py
+++ b/common/djangoapps/util/views.py
@@ -374,3 +374,22 @@ def accepts(request, media_type):
    """Return whether this request has an Accept header that matches type"""
    accept = parse_accept_header(request.META.get("HTTP_ACCEPT", ""))
    return media_type in [t for (t, p, q) in accept]
+
+
+def add_p3p_header(view_func):
+    """
+    This decorator should only be used with views which may be displayed through the iframe.
+    It adds additional headers to response and therefore gives IE browsers an ability to save cookies inside the iframe
+    Details:
+    http://blogs.msdn.com/b/ieinternals/archive/2013/09/17/simple-introduction-to-p3p-cookie-blocking-frame.aspx
+    http://stackoverflow.com/questions/8048306/what-is-the-most-broad-p3p-header-that-will-work-with-ie
+    """
+    @wraps(view_func)
+    def inner(request, *args, **kwargs):
+        """
+        Helper function
+        """
+        response = view_func(request, *args, **kwargs)
+        response['P3P'] = settings.P3P_HEADER
+        return response
+    return inner
--- a/lms/djangoapps/lti_provider/views.py
+++ b/lms/djangoapps/lti_provider/views.py
@@ -14,6 +14,7 @@ from lti_provider.users import authenticate_lti_user
 from lms_xblock.runtime import unquote_slashes
 from opaque_keys.edx.keys import CourseKey, UsageKey
 from opaque_keys import InvalidKeyError
+from util.views import add_p3p_header

 log = logging.getLogger("edx.lti_provider")

@@ -32,6 +33,7 @@ OPTIONAL_PARAMETERS = [


 @csrf_exempt
+@add_p3p_header
 def lti_launch(request, course_id, usage_id):
    """
    Endpoint for all requests to embed edX content via the LTI protocol. This

--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -1163,6 +1163,9 @@ MIDDLEWARE_CLASSES = (
 # Clickjacking protection can be enabled by setting this to 'DENY'
 X_FRAME_OPTIONS = 'ALLOW'

+# Platform for Privacy Preferences header
+P3P_HEADER = 'CP="Open EdX does not have a P3P policy."'
+
 ############################### PIPELINE #######################################

 PIPELINE_ENABLED = True