SEB Hash failure inside iFrame on macOS

[RoChess]

trafficstars

Trying to add support back in for macOS hash keys after the changes made to 3.2.5 we ran into a problem where everything works, until the site is placed inside an iframe.

• Windows direct = works on v3.4.1 and 3.5.0
• Windows iframe = works on v3.4.1 and 3.5.0
• macOS direct = works without issues on v3.2.5
• macOS iframe = fails on v3.2.5

The macOS SEB client often needs the ReRead button to obtain hash values, but that is something we can easily deal with.

The same JavaScript calls are made, but inside an iframe the hashes fail on macOS. Created a basic sample that does the bare minimum to demonstrate the bug at: https://sandbox.verifyexpress.com/seb/

[danschlet]

That is weird, as SEB 3.2.5 didn't really incorporate many changes. Which was the last version of SEB for macOS which worked in your case?

I would need testing access to your system to be able to debug this further.

[RoChess]

Hi Daniel,

You have full access, on the link provided, use the ConfigKeyTest.seb link which launches SEB to the same URI.

Then simply click on the "IFrame" link to see the issue.

Loading it in root/normal shows that the hashes work fine, and the Windows SEB works on both scenarios without any issues on both current version 3.5.0 as well as previous 3.4.1.

[danschlet]

Sorry, I missed the link to your testing page.

Please answer my question: "Which was the last version of SEB for macOS which worked in your case?"

A few points:

• Please don't use config files saved "for configuring clients" for testing purposes, always use "for starting exam" if not strictly required for the test case. In general configs for configuring clients shouldn't be used with BYOD, only for managed computers, where they make mosts sense. We will have to comunicate that more clearly and change the default for the setting in SEB to "for starting exam".
• The test page labels suggest that you are only using the HTTP request headers. For the macOS and iOS versions, your settings won't work like this. You have the setting Browser / Select Browser Engine Policy = "Prefer Modern" (browserWindowWebView = 3). Then the modern WebView is used, where it's impossible to use custom HTTP request headers. You can see in SEB if the modern WebView is used trying to pinch-to-zoom on a trackpad (that doesn't work in the classic WebView). You will have to transition to the SEB Javascript API (which is also supported in the Windows version), as sooner or later Apple will remove support for the classic WebView. Although maybe your test page is already doing that (otherwise you couldn't get the keys from SEB for macOS at all)?
• Your test page says Matched with ConfigKey: No match! even if the Config Keys displayed are the same. Or am I missing something?

[danschlet]

Ah I see your page displays "SafeExamBrowser object undefined", so you are indeed using the SEB JS API I guess. That would have been important information for me to understand the issue... So now the most important question is: Did it work in iFrames on Mac only before when you were using just the HTTP request headers and it's not working since using the SEB JS API?

[RoChess]

The config files were create on my Windows system, and the SEB 3.5.0 editor does not have those macOS options (this was another issue I raised and you pushed that back to 3.6.0 release). Just did not have easy access to my Macbook Air, but that is something I will try tomorrow.

Appreciate the pointer on the "for configuring clients" option, so will ensure that is used properly and will look forward to the update making it more clear. In the end this was just a quick setup to give you the most basic example we could make to reproduce the issue versus setting up full access through Canvas (the reason for the iframe) and then having to explain our product as well.

We are indeed using the SEB JS API, and everything works, but the JS object does not get defined within the iframe. It works perfectly fine in macOS SEB at root level. And on the Windows versions it works without issues.

Worst case we will tell clients to configure Canvas (or other LMSes) to load us in a "new tab", but that creates an end-user experience that is not optimal, so we would like to avoid it. Canvas does now support a way for LTI-tools to escape their LTI frame through a message channel, so that could be something we can then dynamically achieve only for the situations that require it.

Not every LMS supports those methods though, so would prefer to keep support as broad as possible.

Did it work in iFrames on Mac only before when you were using just the HTTP request headers and it's not working since using the SEB JS API?

We ended up creating a duct-taped solution with fallback scenarios where in the end the UserAgent string was used. So, we always had it functional in the end, but obviously not secure for each scenario and when we saw the release reference that macOS SEB solved the custom-header issue through the JS method we decided to investigate everything again.

I'll have to refer with my developer for more details.

For the macOS and iOS versions, your settings won't work like this.

That remains weird, because macOS SEB works fine as long as page is not inside an iframe. Did not have access to an iPhone or iPad at test-time, and figured to keep the issue first focused on macOS SEB within an iframe.

Guess we just wanted to ensure it was not a bug in SEB (or WebView/Kit) that you simply weren't aware of because for the Moodle integration iframes are more than likely never used.

[chrisaut]

The issue essentially boils down to this:

On MacOS SEB v3.2.5, with a config that goes to https://safeexambrowser.org/exams/bek_ck.html (which I understand is reference sample for the Javascript API?) correctly displays the following info via JS, for example:

Config Key (hashed with URL): 2c9f6fffbcf991afcab54eeadf4cd4284d6f144fd30e5b4da5549d3e7b0b155a
Browser Exam Key (hashed with URL): c0c1688fc627813b819736e06efb72b585f30a1bbbf16ac544411a2e6fb1227e
Application version: Safe Exam Browser_macOS_3.2.5_1456D_org.safeexambrowser.SafeExamBrowser

Using a simple wrapper html that places the above site inside an iframe, for example:

<html>
    <body>
        <iframe style="padding 25px; border: 1px solid red;" src="https://safeexambrowser.org/exams/bek_ck.html" width="1024" height="800" />
    </body>
</html>

yields: Could not read security information!

If you click on the Read Security Information Button, you will see an alert window that displays the SEB JS object's details, you will see that both CK and BEK are empty strings (or null not sure), like so:

SEB Security Information:
CK: 
BEK: 
Application version: Safe Exam Browser_macOS_3.2.5_1456D_org.safeexambrowser.SafeExamBrowser

So our suspicion is that whatever mechanism is used to fill the JS object's value is only triggered for top level documents, and is not triggered for documents that get loaded inside an iframe.

The config file has nothing special, except the url set and browsing engine set to "prefer modern" which I understand is not needed even for the JS api to work, nevertheless it is set.

Back when SEB put the hashes into the headers itself I believe this worked fine, but even if it didn't we believe it should and hope this is just an oversight and can be fixed. Like my collegue said it seems to work fine on win.

Happy to provide more info if needed.

[danschlet]

The config files were create on my Windows system, and the SEB 3.5.0 editor does not have those macOS options (this was another issue I raised and you pushed that back to 3.6.0 release). Just did not have easy access to my Macbook Air, but that is something I will try tomorrow.

Yeah, this is a bit of an annoyance for some users, we acknowledge. Unfortunately we may have to push this issue even further back, as we had to add some more urgent issues to 3.6. We actually need to refactor the SEB Windows Configuration Tool completely, because the legacy code used now is hard to maintain and to add more than just a couple of setting options is unnecessarily complicated.

Appreciate the pointer on the "for configuring clients" option, so will ensure that is used properly and will look forward to the update making it more clear. In the end this was just a quick setup to give you the most basic example we could make to reproduce the issue versus setting up full access through Canvas (the reason for the iframe) and then having to explain our product as well.

Ok, we recently realized that "configuring clients" is used in cases where it doesn't really make sense. Our quite basic documentation wasn't clear enough on that point for sure.

We are indeed using the SEB JS API, and everything works, but the JS object does not get defined within the iframe. It works perfectly fine in macOS SEB at root level. And on the Windows versions it works without issues.

I think the root cause of this is that the macOS API doesn't offer a clear option to inject JS on iFrame level (while the Windows CEF API does), but we have to investigate that.

Did it work in iFrames on Mac only before when you were using just the HTTP request headers and it's not working since using the SEB JS API?

We ended up creating a duct-taped solution with fallback scenarios where in the end the UserAgent string was used. So, we always had it functional in the end, but obviously not secure for each scenario and when we saw the release reference that macOS SEB solved the custom-header issue through the JS method we decided to investigate everything again.

I'll have to refer with my developer for more details.

Ok, understand. It's just usually easier to track down an issue if we have precise information on which SEB version it worked and with which version it stopped working. Also sometimes the used macOS versions might play a role.

For the macOS and iOS versions, your settings won't work like this.

That remains weird, because macOS SEB works fine as long as page is not inside an iframe. Did not have access to an iPhone or iPad at test-time, and figured to keep the issue first focused on macOS SEB within an iframe.

Discard this comment, at that point I didn't know you're already using the SEB JS API.

[RoChess]

Simplified the test-scenario by solely relying on your "bek_ck_new.html" test page.

https://sandbox.verifyexpress.com/sebjstest/

This page offers a link to open https://safeexambrowser.org/exams/bek_ck_new.html in a new tab, but also show it inside an iframe for easy SEB testing. SEB configuration file provided with modern-webview-preferred & exam-launch options active that points to this page.

SEB Windows 3.7.0 works fine direct+iframe SEB macOS 3.3.3 works fine direct, but fails inside iframe

Could not find any notes if I found an older version of SEB that still worked, so I will test for that tomorrow by installing wide range of older DMGs, but hoping that the issue is easy to spot in your development setup with easy to reproduce steps.

[danschlet]

Unfortunately SEB for macOS/iOS is not compatible with systems which embed the exam content in an iFrame. What I wrote here

I think the root cause of this is that the macOS API doesn't offer a clear option to inject JS on iFrame level (while the Windows CEF API does), but we have to investigate that.

seems to still be correct. I will file a feature request at Apple, but that won't give any quick solution.

[danschlet]

I implemented support for CK/BEK in SEB 3.4 beta. There are limitations though, it seems only when using the SEB JS updateKeys function with a callback, you can reliably read the CK/BEK hashes in an iFrame (the reason is a WebKit API limitation regarding iFrames). I used an accordingly updated version code for a test page at https://safeexambrowser.org/exams/bek_ck_iframe.html.