You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First, I started implementing the Config Key check in our LMS by using the X-SafeExamBrowser-ConfigKeyHash header before I noticed the comment on the SEB JavaScript API. As the header does not seem to work on iOS anymore---this is still hypothetical in https://safeexambrowser.org/developer/seb-config-key.html ---I will need to switch to the SEB JavaScript API.
The API does, however, not seem to allow me the same level of 'safety' as the headers used to do. Let me (try to) explain: once an exam is started, the answers of the students are saved with a post request---let's assume with endpoint /save. In my current implementation I thus check the header of the post request and validate it with host/save as absolute url. With the SEB JavaScript API, I don't think this is possible, as the /save url is not loaded as a page in the browser. Am I missing something here? It seems that the API only allows to check whether the valid configuration is used when the exam is started / loaded.
One way to solve this would be to also expose a SafeExamBrowser.security.computeConfigKeyForUrl(absolute_url) function in the SEB JavaScript API. I would then use this to get the hash which I now get in the header, and send it as part of the body of the post request.
The reason why I want to be able to also compute the hash for any api calls I make, is to prevent people from manually making the API calls outside of SEB. So I need to be able to detect whether SEB (with the right configuration) is being used when the API calls are being made.
To counter the brute force issue mentioned in the other thread, it would be sufficient to be able to generate the hash for urls starting with the same base url as the one of the page. On top of this, you could limit it to a small number of calls, as you will probably not need more than 10 different API endpoints.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
First, I started implementing the Config Key check in our LMS by using the
X-SafeExamBrowser-ConfigKeyHashheader before I noticed the comment on the SEB JavaScript API. As the header does not seem to work on iOS anymore---this is still hypothetical in https://safeexambrowser.org/developer/seb-config-key.html ---I will need to switch to the SEB JavaScript API.The API does, however, not seem to allow me the same level of 'safety' as the headers used to do. Let me (try to) explain: once an exam is started, the answers of the students are saved with a post request---let's assume with endpoint /save. In my current implementation I thus check the header of the post request and validate it with
host/saveas absolute url. With the SEB JavaScript API, I don't think this is possible, as the/saveurl is not loaded as a page in the browser. Am I missing something here? It seems that the API only allows to check whether the valid configuration is used when the exam is started / loaded.One way to solve this would be to also expose a
SafeExamBrowser.security.computeConfigKeyForUrl(absolute_url)function in the SEB JavaScript API. I would then use this to get the hash which I now get in the header, and send it as part of the body of the post request.EDIT: apparently a similar suggestion was already given before in a discussion in the windows repository. See SafeExamBrowser/seb-win-refactoring#472 (comment)
The reason why I want to be able to also compute the hash for any api calls I make, is to prevent people from manually making the API calls outside of SEB. So I need to be able to detect whether SEB (with the right configuration) is being used when the API calls are being made.
To counter the brute force issue mentioned in the other thread, it would be sufficient to be able to generate the hash for urls starting with the same base url as the one of the page. On top of this, you could limit it to a small number of calls, as you will probably not need more than 10 different API endpoints.
Beta Was this translation helpful? Give feedback.
All reactions