foobarable
commented
5 years ago We can set other headers here. What headers do you need?
Open athird opened 5 years ago
foobarable
commented
5 years ago We can set other headers here. What headers do you need?
athird
commented
5 years ago I don't know, CORS is a big mystery to me. I'd have thought setting X-Frame-Options to allow-from *.up2university.eu would be the right answer, but apparently Chrome doesn't (and won't?) support Allow-From.
Would the Content Security Policy headers be the right thing? e.g., example 2 from here?
Just to check: the same origin setting is coming from the SSO and not PR?
Trying to access Personal Recorder from a Moodle text editor box via the Record button gives a blank frame and the following error in the browser console:
Refused to display 'https://sso.up2university.eu/simplesaml/module.php/multiauth/selectsource.php?AuthState=_BIG_HEX_NO%3Ahttps%3A%2F%2Fsso.up2university.eu%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3Dhttps%253A%252F%252Fpr-up2u.teltek.es%26cookieTime%3D1544705743%26RelayState%3Dhttps%253A%252F%252Fnaked-pr-up2u.teltek.es%252Fsaml%252Flogin' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
Is there a way to fix this? Moodle and the SSO are hosted on the same domain, is that not same-origin enough? :-)