SEB CORS issue #472
-
|
Hi, I am trying to integrate SEB with our custom LMS. I made good progress with generating request/config hash, verification on the server side etc. I am facing a peculiar issue. Our server is Spring/Java and the client is Angular. So in dev, we connect from http://localhost:4200 (Client hosted using ng serve) to http://localhost:8080 (Dev API server). So this is a CORS request since the ports are different. And we have OPTIONS before GET/POST and we get the SEB headers and it is working. However, if I make the Angular client (http://localhost:4200) connect to a different server (server IP and port are different), SEB is not setting both the headers (request and config hash) and the verification fails. Any idea why this could be happening? Any suggestions? Thanks for your help. Regards, |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
|
There were similar reports (especially regarding CORS), see #46, #66 or #84. If this should be the same issue here, then we'd recommend to use the new JavaScript API to query the BEK and/or CK. |
Beta Was this translation helpful? Give feedback.
-
|
ok. Thanks! Will try that.. How does the Javascript SDK work with XMLHttpRequests? I did not see an API to get the request hash given an API I am about to invoke. request hash generated based on the current page URL will not work for XMLHttpRequests.. right? How can I handle this scenario? |
Beta Was this translation helpful? Give feedback.
-
|
With the SEB Javascript API you can get the Config Key (or Browser Exam Key) from the window object of a web page, hashed with its URL. You'll have to figure out how to achieve that with XMLHttpRequests (or do it in a regular request when loading the page). |
Beta Was this translation helpful? Give feedback.
-
|
Only way I can think of is if you give access the original BEK and ConfigKey from the settings. Then we can create the required hash using Javascript. Otherwise the API should support a function that takes a URL as input and returns the required hash values.. Does SEB support this? Otherwise, any plans to add this? Meanwhile, I am going ahead with a custom userAgent suffix. Thanks. |
Beta Was this translation helpful? Give feedback.
-
|
I don't think so, because usually it should not be a problem to check the CK/BEK in a regular request (why using complicated XMLHttpRequests when you could do it easily? but we are no web developers, maybe you have a valid reason). The URL is used as an additional security element to "encrypt" the CK or BEK by hashing it. SEB uses the URL of a real, existing page it displays as this security element. With an API where you could pass an arbitrary URL you could probably try to determine the BEK value by brute force methods or similarly. |
Beta Was this translation helpful? Give feedback.
-
|
I have asked a related question in SafeExamBrowser/seb-mac#564 (I did not find this thread before posting it in the seb-mac repository). |
Beta Was this translation helpful? Give feedback.
There were similar reports (especially regarding CORS), see #46, #66 or #84. If this should be the same issue here, then we'd recommend to use the new JavaScript API to query the BEK and/or CK.