03 March 2014, 12:19

Okay, I tested it out on a couple of 1.8 sites myself, using hapyak.com as the iframe source. It works correctly if the iframe's URL has the slash in it (hapyak.com/?...) and it doesn't work if the iframe URL does not have the slash (hapyak.com?...)

This is a bug in the "allowed iframe sources" code. It is perfectly legal to have a URL with a question mark immediately after the domain name, but it's somewhat unusual, so our code apparently doesn't handle that scenario. I've filed a bug report: https://bugs.launchpad.net/mahara/+bug/1286935

I also noticed that if you use this iframe source in an HTTPS site, the https://hapyak.com SSL certificate gives a warning in Firefox because it's associated with the domain name heroku.com instead of hapyak.com. But there's nothing we can do about that in Mahara.

Cheers,

Aaron

03 March 2014, 12:39

No wonder I have been having problems - dont know my forwards from my backwards!

Just added in hapyak.com to allowed sources list and it works...

Work with the addition of the [insert correct term] slash as mentioned in Gregor's last post

Many thanks to all who have contributed

Gideon

04 March 2014, 8:23

Hi Aaron,

I tend to say that it is better to get as much from the path of the URL that is common to all iframes on the site to prevent that someone just inserts a random page, e.g. the contact page and not actually the media item making the iframe code use more secure. Or is that a misconception?

Cheers

Kristina

04 March 2014, 10:06

Hi Kristina,

You are correct, if a site's iframe URL always contains a particular path component, it's best to include that in the allowed iframe source for security purposes.

In the case of the hapyak.com URLs, there is no path component. There's only a domain (hapyak.com) and then a query string (starting with ?embed=true). (For those unfamiliar with the parts of a URL, see this quick explanation.) In theory we could change the code to also include query components in an iframe source... I suppose that would allow for locking things down even more.

Cheers,

Aaron

07 May 2014, 2:47

Hi Gid, We have added a fix for this issue to the platform.

Great to hear that you are finding it useful. Please feel free to ping us any time with product suggestions of fixes that will make your lives easier.

-Cass

(Customer Success Director at HapYak).

csapir at hapyak dot com