loncom/interface/lonexturlcheck.pm - diff

Return to lonexturlcheck.pm CVS log

Up to [LON-CAPA] / loncom / interface

Diff for /loncom/interface/lonexturlcheck.pm between versions 1.1 and 1.4

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

version 1.1, 2019/05/02 02:12:19	version 1.4, 2020/02/15 03:54:43
Line 41 Called in course context by course perso	Line 41 Called in course context by course perso
privilege or with view-only access to course editing tools.	privilege or with view-only access to course editing tools.

Query string contains one item: name=exturl, value=URL of external resource	Query string contains one item: name=exturl, value=URL of external resource
(format: http://hostname/path or https://hostname/path).	(format: http://hostname/path or https://hostname/path).

The resource URL is sent to &loncommon::is_nonframeable() to check whether	The resource URL is sent to &loncommon::is_nonframeable() to check whether
it can be displayed in an iframe in a page served by the current host.	it can be displayed in an iframe in a page served by the current host.

=head1 OVERVIEW	=head1 OVERVIEW

Line 53 Input: external resource URL (from query	Line 53 Input: external resource URL (from query
Hostname, lonHostID, and IP address for this node are retrieved from Apache.	Hostname, lonHostID, and IP address for this node are retrieved from Apache.

Dependencies: calls &loncommon::is_nonframeable() to check if server where	Dependencies: calls &loncommon::is_nonframeable() to check if server where
external resource is hosted is configured with a Content-Security-Policy or	external resource is hosted is configured with a Content-Security-Policy or
with X-Frame-options settings which prohibit display of the resource within	with X-Frame-options settings which prohibit display of the resource within
an iframe in a LON-CAPA page served from this node.	an iframe in a LON-CAPA page served from this node.

Output to print buffer: (content-type: text/plain): 1, 0, -1 or empty string.	Output to print buffer: (content-type: text/plain): 1, 0, -1 or empty string.
'' -- display in iframe is allowed	'' -- display in iframe is allowed
1 -- display in iframe not allowed	1 -- display in iframe not allowed
0 -- invalid URL	0 -- invalid URL
-1 -- could not verify course editing privilege or view-only access to	-1 -- could not verify course editing privilege or view-only access to
course editing tools	course editing tools

HTTP Return codes:	HTTP Return codes:
406 -- if user is not in a course	406 -- if user is not in a course
200 -- otherwise	200 -- otherwise

Line 76 use strict;	Line 76 use strict;
use Apache::Constants qw(:common :http);	use Apache::Constants qw(:common :http);
use Apache::lonnet;	use Apache::lonnet;
use Apache::loncommon;	use Apache::loncommon;
use LONCAPA::LWPReq;
use HTTP::Request;	use HTTP::Request;

sub handler {	sub handler {
Line 98 sub handler {	Line 97 sub handler {
((&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) \|\|	((&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) \|\|
(&Apache::lonnet::allowed('cev',$env{'request.course.id'})))) {	(&Apache::lonnet::allowed('cev',$env{'request.course.id'})))) {
&Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['exturl']);	&Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['exturl']);
if ($env{'form.exturl'} =~ m{^https?\://[^/]+}) {	$env{'form.exturl'} =~ s/^\s+\|\s+$//g;
	if ($env{'form.exturl'} =~ m{^https?\://([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}}i) {
my $hostname = $r->hostname();	my $hostname = $r->hostname();
my $lonhost = $r->dir_config('lonHostID');	my $lonhost = $r->dir_config('lonHostID');
my $ip = &Apache::lonnet::get_host_ip($lonhost);	my $ip = &Apache::lonnet::get_host_ip($lonhost);
$r->print(&Apache::loncommon::is_nonframeable($env{'form.exturl'},'',$hostname,$ip));	$r->print(&Apache::loncommon::is_nonframeable($env{'form.exturl'},'',$hostname,$ip,1));
} else {	} else {
$r->print(0);	$r->print(0);
}	}

Removed from v.1.1
changed lines
	Added in v.1.4