Audit a system for insecure content and P3P headers

This technical article describes why you need to audit your systems for insecure content and P3P headers.

Insecure Content

When Talis Aspire Reading Lists pages are embedded in other host systems, all Talis Aspire Reading Lists content will be served over an HTTPS connection.  If we didn't do this then browsers would block insecure content. Some browsers will silently block content and show a blank page, while others will make a big fuss. 

Some Talis Aspire operations will require users to be temporarily redirected to a third party system to authenticate themselves. This system is usually referred to as an Identity Provider.  You may be using Shibboleth, Open Athens, ADFS, Ping Federate or a number of other systems that provide a Single Sign On function that Talis Uses.

When a TARL page is embedded in an iFrame of another host system (such as your learning environment) if we have to redirect the user to a single sign on service, it is important that the browser is able to load your IDP Page without blocking it because it is showing insecure content.

To check whether any content is being loaded insecurely you may need to check the following.

  • That your Single Sign On service is using HTTPS
  • That any logos or other graphics used in the user interface of your Single Sign On service are served from an HTTPS location.
  • That any scripts, css or other assets are loaded from an HTTPS location.

X-Frame-Options

Your Single Sign On challenge pages may have a header which says that the page cannot be loaded in an iFrame. Unfortunately the LTI specification requires that embedded content is loaded in an iFrame.  Talis Aspire Reading Lists requires instructors to be logged in through your Single Sign On system to ensure that the correct identifier for the user is user to lookup their profile in Talis Aspire.

You can tell if your IDP is using X-Frame-Options set to SAMEORIGIN or some other restrictive setting by inspecting the headers in requests made to your IDP.

Talis advise either making an exception for Talis Aspire logins, or for Talis Aspire to enable a 'pop out' log in option which can be used to workaround these issues.  Contact Talis Support by raising a ticket if you think this might apply to you.

Platform for Privacy Preferences (P3P)

When a user goes to Talis Aspire Reading Lists and is referred to your Single Sign On service to login, a number of cookies will be set.

When a page is loaded in an iFrame, Internet Explorer will silently block all cookies set by a third party (i.e. a different domain to the page showing the iFrame) unless that third party has set a P3P header.

To check whether your systems are setting P3P headers:

  • Check any documentation for your system to see if it is sending P3P headers
  • Make some requests to your system using a tool to inspect all the requests and responses that the browser is sending. Look for a P3P header in the list of headers that are sent back with the response.

Talis Aspire Reading Lists and Talis Aspire Digitised Content and all our related subsystems set P3P headers for all responses that will be embedded in an iFrame.

So you've decided you need to do something... what next? We found this Stack overflow question and its answers to be a useful starting point.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk