[BACK]Return to lonexturlcheck.pm CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom / interface
File:  [LON-CAPA] / loncom / interface / lonexturlcheck.pm
Revision 1.1: download - view: text, annotated - select for diffs
Thu May 2 02:12:19 2019 UTC (5 years, 1 month ago) by raeburn
Branches: MAIN
CVS tags: HEAD
- Bug 6910
Gracefully handle display (and preview) for External Resources for which
Content-Security-Policy or X-Frame-Options prevent display in iframe in LC.

    1: # The LearningOnline Network with CAPA
    2: # Handler to check if external resource can be shown in iframe
    3: #
    4: # $Id: lonexturlcheck.pm,v 1.1 2019/05/02 02:12:19 raeburn Exp $
    5: #
    6: # Copyright Michigan State University Board of Trustees
    7: #
    8: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
    9: #
   10: # LON-CAPA is free software; you can redistribute it and/or modify
   11: # it under the terms of the GNU General Public License as published by
   12: # the Free Software Foundation; either version 2 of the License, or
   13: # (at your option) any later version.
   14: #
   15: # LON-CAPA is distributed in the hope that it will be useful,
   16: # but WITHOUT ANY WARRANTY; without even the implied warranty of
   17: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   18: # GNU General Public License for more details.
   19: #
   20: # You should have received a copy of the GNU General Public License
   21: # along with LON-CAPA; if not, write to the Free Software
   22: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA
   23: #
   24: # /home/httpd/html/adm/gpl.txt
   25: #
   26: # http://www.lon-capa.org/
   27: #
   28: #
   29: ###############################################################
   30: ###############################################################
   31: 
   32: =pod
   33: 
   34: =head1 NAME
   35: 
   36: Apache::lonexturlcheck - External Resource URL checker
   37: 
   38: =head1 SYNOPSIS
   39: 
   40: Called in course context by course personnel either with the course editing
   41: privilege or with view-only access to course editing tools.
   42: 
   43: Query string contains one item: name=exturl, value=URL of external resource
   44: (format: http://hostname/path or https://hostname/path). 
   45:  
   46: The resource URL is sent to &loncommon::is_nonframeable() to check whether
   47: it can be displayed in an iframe in a page served by the current host. 
   48: 
   49: =head1 OVERVIEW
   50: 
   51: Input: external resource URL (from query string passed to /adm/exturlcheck).
   52: 
   53: Hostname, lonHostID, and IP address for this node are retrieved from Apache.
   54: 
   55: Dependencies: calls &loncommon::is_nonframeable() to check if server where
   56: external resource is hosted is configured with a Content-Security-Policy or 
   57: with X-Frame-options settings which prohibit display of the resource within
   58: an iframe in a LON-CAPA page served from this node. 
   59: 
   60: Output to print buffer: (content-type: text/plain):  1, 0, -1 or empty string.
   61: '' -- display in iframe is allowed
   62: 1  -- display in iframe not allowed 
   63: 0  -- invalid URL
   64: -1 -- could not verify course editing privilege or view-only access to 
   65:       course editing tools
   66: 
   67: HTTP Return codes: 
   68: 406 -- if user is not in a course
   69: 200 -- otherwise
   70: 
   71: =cut
   72: 
   73: package Apache::lonexturlcheck;
   74: 
   75: use strict;
   76: use Apache::Constants qw(:common :http);
   77: use Apache::lonnet;
   78: use Apache::loncommon;
   79: use LONCAPA::LWPReq;
   80: use HTTP::Request;
   81: 
   82: sub handler {
   83:     my $r=shift;
   84:     if ($r->header_only) {
   85:         &Apache::loncommon::content_type($r,'text/html');
   86:         $r->send_http_header;
   87:         return OK;
   88:     }
   89:     if (!$env{'request.course.fn'}) {
   90:         # Not in a course.
   91:         $env{'user.error.msg'}="/adm/lonexturlcheck:bre:0:0:Not in a course";
   92:         return HTTP_NOT_ACCEPTABLE;
   93:     }
   94:     &Apache::loncommon::content_type($r,'text/plain');
   95:     $r->send_http_header;
   96:     my $uselink;
   97:     if (($env{'request.course.id'}) &&
   98:         ((&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) ||
   99:          (&Apache::lonnet::allowed('cev',$env{'request.course.id'})))) {
  100:         &Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['exturl']);
  101:         if ($env{'form.exturl'} =~ m{^https?\://[^/]+}) {
  102:             my $hostname = $r->hostname();
  103:             my $lonhost = $r->dir_config('lonHostID');
  104:             my $ip = &Apache::lonnet::get_host_ip($lonhost);
  105:             $r->print(&Apache::loncommon::is_nonframeable($env{'form.exturl'},'',$hostname,$ip));
  106:         } else {
  107:             $r->print(0);
  108:         }
  109:     } else {
  110:         $r->print(-1);
  111:     }
  112:     return OK;
  113: }
  114: 
  115: 1;
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>