Commit 3a306423 authored by Peter Spicer's avatar Peter Spicer
Browse files

Bug 1859605 Allow MNET remote peer to be included in CSP 

When using Mahara preview from Moodle grading interface, this initiates
an MNET jump inside an iframe, which fails due to the remotewwwhost not
being specified inside the Content-Security-Policy. Mahara does make
this configurable, but not from inside the MNET workflow by default.

Change-Id: I26cd51f98e7b1880367eedadfaad41aad3a88138
behatnotneeded: Requires MNET to be configured
parent c8e1c008

htdocs/auth/xmlrpc/land.php

+5 −0
Original line number Diff line number Diff line
@@ -93,6 +93,11 @@ foreach($instances as $instance) { 


if ($res == true) {

    // Everything's ok - we have an authenticated User object

    // Now allow for MNET to set a valid CSP for this session allowing the peer to be in iframes.

    $parts = parse_url($remotewwwroot);

    $cspurl = $parts['scheme'] . '://' . $parts['host'];

    $SESSION->set('csp-ancestor-exemption', $cspurl);



    // confirm the MNET session

    // redirect

    if ($remoteurl) {