Content-Security-Policy header configuration

[Tom Salyers]

Hi, all.

I'm having a slight problem configuring Nginx for the Numbas LTI provider. Our security people are asking me to lock it down pretty tightly before we can let students access it without needing to be on the VPN, and so far I've managed to get most of it accomplished.

I'm running into an issue, though, where if I set a Content-Security-Policy header for Nginx and then click on a placement in Blackboard, the LTI launch will look like it's happening, but then the actual Numbas resource will never load in the frame.

I haven't had a chance to look in the browser tools to see what might be happening--I've temporarily disabled the header so our digital learning team can keep testing for now--but I was wondering if I'm just missing something really obvious. This is the header as it's currently set in nginx.conf:

add_header Content-Security-Policy "default-src 'self'; script-src 'self';" always;

I'm guessing I might need to add the hostnames for our Blackboard system in, but I'm not as up on my Nginx as I should be. Has anyone else run into a similar issue, and if so, how did you fix it? Thanks in advance.

--

Tom Salyers

University of Sheffield

[Christian Lawson-Perfect]

Hi Tom,

Can you send me the changes you made to the default nginx conf file, and some steps to reproduce the error?

Does it matter if the link from Blackboard opens in a new tab, or embedded in an iframe?

The Numbas django app should be in charge of setting these headers for all pages it serves; nginx is only responsible for serving static files so my gut feeling is that your add_header directive should only go in the sections for /media and /static.

--
You received this message because you are subscribed to the Google Groups "Numbas Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to numbas-users...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/8e4601d9-0f7c-4e0e-a24b-bfd220b555bbn%40googlegroups.com.

[Tom Salyers]

Hi, Christian.

Thanks! I'll send the header stuff to you separately. I don't want to give away too much of our setup and/or bore everyone to death with my header settings. ;)

As for reproduction, the error seems to come up as soon as the SCORM object for the test/quiz loads, or at least it comes up immediately for me. We haven't tried opening it in a new tab yes,since we embed everything in an iframe by default, but we can try that if it might help.

--

Tom Salyers

University of Sheffield

[Christian Lawson-Perfect]

Opening in a new window will get round some same-origin problems: the parent page's security policy applies to any page embedded in an iframe.

To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/930c0b44-d005-4fc4-b79f-92bbac873ae9n%40googlegroups.com.

[Tom Salyers]

I just tried it in a new window....it's still happening, unfortunately. Same AJAX failure and "403 Forbidden". :/

--

Tom Salyers, MBCS
Senior Education Developer/System Administrator

The University of Sheffield
IT Services

10-12 Brunswick Street

Sheffield, S10 2FN

Tel:  0114 222 1141

t.sa...@sheffield.ac.uk

You received this message because you are subscribed to a topic in the Google Groups "Numbas Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/numbas-users/5aU2vo_zlS0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to numbas-users...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/numbas-users/CAEMHSOiZ5XvkmOEoFBBAZLi%3D9EO9eLwHCxhroCbK4zwW7G7kgw%40mail.gmail.com.