OO-3352: fix LTI selenium test and add more explain about what...

OO-3352: fix LTI selenium test and add more explain about what Content-Security-Policy breaks currently in OpenOLAT

src/main/java/org/olat/admin/security/_i18n/LocalStrings_de.properties

@@ -16,7 +16,7 @@ sec.csp.plugin.type=plugin-type
 sec.csp.default.value=Wert immer dabei: {0}. Beispiel: {1}
 sec.description=W\u00E4hlen Sie den notwendigen Sicherheitslevel je nach Anforderungen Ihrer Institution. Um die h\u00F6chste Sicherheitsstufe zu erreichen m\u00FCssen s\u00E4mtliche untenstehenden Sicherheitsfunktionen eingeschaltet sein. 
 sec.description.headers=Diese Headers verhindert unischere Verh\u00e4ltnis wie ... 
-sec.description.csp=Achtung! Diese Konfiguration kann Kontent bloquieren. Es gibt Werte für jede Directive die nicht konfiguierbar sind, das sind die Werte dass OpenOLAT intern für sich selbst, für Video (youtube und vimeo) und MathJax braucht. Mehr Informationen finden Sie unter <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" target="_blank">Content-Security-Policy</a>.
+sec.description.csp=Achtung! Diese Konfiguration kann Inhalt wie LTI Kursbaustein, externe Seite und HTML Seite sperren. Dazu sind die folgende Kursbaustein zur Zeit noch nicht unterstützt: card2brain, edubase, edubook, GoToTraining, openmeeting, vitero and Paypal. Mehr Informationen finden Sie unter <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" target="_blank">Content-Security-Policy</a>.
 sec.force.download=Dateidownload in Ordner erzwingen
 sec.title=Sicherheitseinstellungen
 sec.topframe=Frame Einbettung per JavaScript verhindern

src/main/java/org/olat/admin/security/_i18n/LocalStrings_en.properties

@@ -15,8 +15,8 @@ sec.csp.plugin.type=plugin-type
 sec.csp.script.src=script-src
 sec.csp.style.src=style-src
 sec.description=Choose the security level depending on the requirements of your institution. To achieve the highest security level, all of the security features listed below have to be activated.
-sec.description.csp=This configuration can block or break some content. A part of the configuration is fix, these are the values needed by OpenOLAT itself, the MathJax Library and to play video from youtue and vimeo. You will find more informations about content security policy under <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" target="_blank">Content-Security-Policy</a>.
-sec.description.headers=These headers prevetn unsecure behavior. 
+sec.description.csp=Warning! This configuration can block or break content like LTI course elements, external pages and HTML pages. The following course elements are currently not supported: card2brain, edubase, edubook, GoToTraining, openmeeting, vitero and Paypal. You will find more informations about content security policy under <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" target="_blank">Content-Security-Policy</a>.
+sec.description.headers=These headers prevents insecure behavior. 
 sec.force.download=Force file download in folders
 sec.strict.transport.sec=Prevent downgrade of HTTPS to HTTP with HTTP header
 sec.title=Security settings

src/test/profile/mysql/olat.local.properties

@@ -83,4 +83,5 @@ base.security.frameOptionsSameOrigine=enabled
 base.security.strictTransportSecurity=enabled
 base.security.xContentTypeOptions=enabled
 base.security.contentSecurityPolicy=enabled
+base.security.contentSecurityPolicy.frameSrc=http://lti.frentix.com
 

src/test/profile/postgresql/olat.local.properties

@@ -84,3 +84,5 @@ base.security.frameOptionsSameOrigine=enabled
 base.security.strictTransportSecurity=enabled
 base.security.xContentTypeOptions=enabled
 base.security.contentSecurityPolicy=enabled
+base.security.contentSecurityPolicy.frameSrc=http://lti.frentix.com
+