Re: Controlling who can consume resources on an exercise
2 views
Skip to first unread message
Cay Horstmann
Mar 13, 2025, 3:53:15 AMMar 13
to Shaffer, Cliff, Hicks, Alex, splice-smart-learni...@googlegroups.com
If the PrairieLearn content is displayed in an iframe, then that iframe is loaded from the student's browser. The host of the aggregator is in the "Referer" HTTP header, so Craig's server could whitelist specific referers. That way he can be protected against unwanted aggregators. However, if someone wanted to do a denial of service attack, they could fake the header.
Alternatively, Craig could give out API tokens that he can revoke on abuse. Then the aggregator would programmatically populate the iframe. It's a little weird but it can be done: https://stackoverflow.com/questions/52027873/can-the-src-attribute-of-an-iframe-perform-a-post-request
Il 13/03/25 01:13, Shaffer, Cliff ha scritto:
> I might have spoken to one or both of you about this already. But let's try to get something written down.
>
> Issue: I was speaking to Craig Zilles from UIUC and PrairieLearn about the SPLICE protocol. He raised the issue that some PraireLearn exercises require substantial server-side computation to grade. So he is concerned about the notion of providing public access to them that arbitrary third parties might incorporate into their own aggregators (eTextbook, etc). Conceivably, that could lead to too much load on the system.
>
> Conceptually, a reasonable solution should be to whitelist sites that would get serviced, and throttle requests from other sites when needed (or always).
>
> How easy is this approach to accommodate?
> -- Cliff
>
> --
> Dr. Cliff Shaffer
> Professor
> Department of Computer Science Phone: (540) 231-4354
> Virginia Tech, Blacksburg, VA 24061 WWW: www.cs.vt.edu/~shaffer <http://www.cs.vt.edu/~shaffer>
>
--
Cay S. Horstmann | https://horstmann.com
Alternatively, Craig could give out API tokens that he can revoke on abuse. Then the aggregator would programmatically populate the iframe. It's a little weird but it can be done: https://stackoverflow.com/questions/52027873/can-the-src-attribute-of-an-iframe-perform-a-post-request
Il 13/03/25 01:13, Shaffer, Cliff ha scritto:
> I might have spoken to one or both of you about this already. But let's try to get something written down.
>
> Issue: I was speaking to Craig Zilles from UIUC and PrairieLearn about the SPLICE protocol. He raised the issue that some PraireLearn exercises require substantial server-side computation to grade. So he is concerned about the notion of providing public access to them that arbitrary third parties might incorporate into their own aggregators (eTextbook, etc). Conceivably, that could lead to too much load on the system.
>
> Conceptually, a reasonable solution should be to whitelist sites that would get serviced, and throttle requests from other sites when needed (or always).
>
> How easy is this approach to accommodate?
> -- Cliff
>
> --
> Dr. Cliff Shaffer
> Professor
> Department of Computer Science Phone: (540) 231-4354
> Virginia Tech, Blacksburg, VA 24061 WWW: www.cs.vt.edu/~shaffer <http://www.cs.vt.edu/~shaffer>
>
--
Cay S. Horstmann | https://horstmann.com
Shaffer, Cliff
Mar 14, 2025, 11:49:48 AMMar 14
to Cay Horstmann, Hicks, Alex, splice-smart-learni...@googlegroups.com
Thanks! Going to put this to sleep for now, but hopefully it will become relevant some day.
By the way, David Smith is joining us at VT! So maybe we'll get some sort of movement on integrating our community with PrairieLearn.
-- Cliff
--
Dr. Cliff Shaffer
Professor
Department of Computer Science Phone: (540) 231-4354
Virginia Tech, Blacksburg, VA 24061 WWW: www.cs.vt.edu/~shaffer
Department of Computer Science Phone: (540) 231-4354
Virginia Tech, Blacksburg, VA 24061 WWW: www.cs.vt.edu/~shaffer
From: Cay Horstmann <c...@horstmann.com>
Sent: Thursday, March 13, 2025 3:53 AM
To: Shaffer, Cliff <sha...@vt.edu>; Hicks, Alex <alex...@vt.edu>; splice-smart-learni...@googlegroups.com <splice-smart-learni...@googlegroups.com>
Subject: Re: Controlling who can consume resources on an exercise
Sent: Thursday, March 13, 2025 3:53 AM
To: Shaffer, Cliff <sha...@vt.edu>; Hicks, Alex <alex...@vt.edu>; splice-smart-learni...@googlegroups.com <splice-smart-learni...@googlegroups.com>
Subject: Re: Controlling who can consume resources on an exercise
If the PrairieLearn content is displayed in an iframe, then that iframe is loaded from the student's browser. The host of the aggregator is in the "Referer" HTTP header, so Craig's server could whitelist specific referers. That way he
can be protected against unwanted aggregators. However, if someone wanted to do a denial of service attack, they could fake the header.
Alternatively, Craig could give out API tokens that he can revoke on abuse. Then the aggregator would programmatically populate the iframe. It's a little weird but it can be done:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F52027873%2Fcan-the-src-attribute-of-an-iframe-perform-a-post-request&data=05%7C02%7Cshaffer%40vt.edu%7Ccd75b441e6e141c4e4e208dd62041d2b%7C6095688410ad40fa863d4f32c1e3a37a%7C0%7C0%7C638774492014031483%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=mUodA7jNm5U98Jm9OpK3XJhNxghzkUb6zQJnXNkMb7I%3D&reserved=0
Il 13/03/25 01:13, Shaffer, Cliff ha scritto:
> I might have spoken to one or both of you about this already. But let's try to get something written down.
>
> Issue: I was speaking to Craig Zilles from UIUC and PrairieLearn about the SPLICE protocol. He raised the issue that some PraireLearn exercises require substantial server-side computation to grade. So he is concerned about the notion of providing public access to them that arbitrary third parties might incorporate into their own aggregators (eTextbook, etc). Conceivably, that could lead to too much load on the system.
>
> Conceptually, a reasonable solution should be to whitelist sites that would get serviced, and throttle requests from other sites when needed (or always).
>
> How easy is this approach to accommodate?
> -- Cliff
>
> --
> Dr. Cliff Shaffer
> Professor
> Department of Computer Science Phone: (540) 231-4354
> Virginia Tech, Blacksburg, VA 24061 WWW:
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cs.vt.edu%2F~shaffer&data=05%7C02%7Cshaffer%40vt.edu%7Ccd75b441e6e141c4e4e208dd62041d2b%7C6095688410ad40fa863d4f32c1e3a37a%7C0%7C0%7C638774492014050011%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Pg68yTv3RBZOd5LO%2FsLgYp0TtCEYH%2F%2B4BKKhxvpLMu8%3D&reserved=0
<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cs.vt.edu%2F~shaffer&data=05%7C02%7Cshaffer%40vt.edu%7Ccd75b441e6e141c4e4e208dd62041d2b%7C6095688410ad40fa863d4f32c1e3a37a%7C0%7C0%7C638774492014064507%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=jUr%2B7KAXUtZ35aPTzNhmQfX1UVG3u%2Bw7v4OC8xefAU0%3D&reserved=0>
>
--
Cay S. Horstmann | https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhorstmann.com%2F&data=05%7C02%7Cshaffer%40vt.edu%7Ccd75b441e6e141c4e4e208dd62041d2b%7C6095688410ad40fa863d4f32c1e3a37a%7C0%7C0%7C638774492014078697%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=VB882NuP2xheLvdDHKndD7FQgV67OUnzaGQJSfUMcDo%3D&reserved=0
>
--
Cay S. Horstmann | https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhorstmann.com%2F&data=05%7C02%7Cshaffer%40vt.edu%7Ccd75b441e6e141c4e4e208dd62041d2b%7C6095688410ad40fa863d4f32c1e3a37a%7C0%7C0%7C638774492014078697%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=VB882NuP2xheLvdDHKndD7FQgV67OUnzaGQJSfUMcDo%3D&reserved=0
Reply all
Reply to author
Forward
0 new messages