SafeExamBrowser / seb-mac

Safe Exam Browser for macOS and iOS
https://www.safeexambrowser.org/macosx
101 stars 41 forks source link

Issue with online office as popup on Mac #292

Closed kollbrt closed 1 year ago

kollbrt commented 1 year ago

We have a problem using SEB with Mac and a task that uses online office in a popup window. When we don't use a URL Filter, then we are able to perfectly open the word file out of our LMS OpenOlat. But not using the URL-Filter in SEB is a security risk, because the students then can write any web adress in the online word file, so that word would generate a link out of that adress. Klicking on it and the students are already on google or whatever they would like... So we desperately need to use the URL Filter. With windows laptops we don't have any problems, this works fine. But the mac books interestingly don't use the same URLs in the background to open the same online word task. We tried to find out, which URL are used by mac books and we identified a list of IP adresses (I attached this list - the first websites on the list are used by windows laptops). Some of them we could identify with reverse DNS lookup, but a few we couldn't identify. So we tried to write directly the IP adress in the URL Filter of the SEB config file, but that didn't work as well. So our hope is, that you might have an idea, what to do or if this is indeed a problem of SEB for mac? Thanks for your help Sincerely Thomas Kollbrunner, BMS Winterthur, PICTS URL-Filter-Liste.docx

danschlet commented 1 year ago

In general, the URL Filter should work exactly same in both the Windows and macOS/iOS versions of SEB (there still might be some edge cases with slight differences as we're using different browser engines). Also as you noted, it's possible that a web application/website uses some client detection and then modified server-side code, depending on the browser engine of the client.

In general, the SEB URL Filter works only correctly with symbolic URL filter rules, not with IP addresses. It also doesn't make sense to filter for IP addresses, as those can anytime change for any domain and especially complex and cloud-based web applications/sites would use load balancers and various front-end servers with different IP addresses.

The correct way how to find out which URLs were blocked by SEB would be to either check the log files (in the macOS version set the log level to Debug if you're using another one and search for the text "blocked by the URL filter: ", there you will find the blocked URL. Best is to use the SEB for macOS feature "Teach SEB allowed/blocked URLs" (see Preferences / Network / Filter) to interactively find URLs which get blocked and adding those to the allow list in SEB settings.

Also we have to note that using URL filters is generally cumbersome, especially for complex web applications there's no guarantee that it will work perfectly in any case. It can also break anytime if for example Microsoft changes anything in their online office implementation. Best would be if vendors of online applications would offer a configurable assessment (exam/test) mode where they would block unwanted functionality themselves. Maybe something to suggest to Microsoft.

kollbrt commented 1 year ago

Dear Mr. Schneider, Thank you for your quick answer and the possible solution for our problem. I tried it out today, but was not really successful. Although I managed to add the "Teach SEB" Modus on Mac, I didn't get any useful URL while opening our Word File in OpenOlat. The strange thing was, that the learning process worked, I got an report, that an URL has been blocked and I could now allow it. After allowing the domain, the word file could be opened finally. But, if I closed the word file again and reopened, I had to allow the URL again. And moreafter, the blocked URL was just showed as "(null)". So, after reopening the preferences of SEB, I didn't see any new, unblocked URL. Do you have any idea, what was going on here? Best regards, Thomas Kollbrunner 20230404_143808

danschlet commented 1 year ago

The I assume that the online Office instance is embedded in an iFrame in OpenOlat (LTI afaik I know works like that). The SEB URL filter probably doesn't see some or most of the URLs invoked in the iFrame. For SEB to be able to block those, you would need to enable the setting "Filter also embedded content" (key URLFilterEnableContentFilter = true). Unfortunately then SEB will use the classic WebView, as there is no support implemented yet for content filtering when using the modern WebView. I don't know if OpenOlat even allows to change this setting and if the online office would work correctly then. If you could organize a testing access for me to try this out myself, I could check if this really is the problem and maybe there's still some easier/faster solution than implementing content filtering (I'll anyways check if I can include that in the 3.4 release).

kollbrt commented 1 year ago

My collegue already sent you a login with a test-environment. Thanks for your help.