From acc515f39c4015cf78e4596026720754da4b0fe7 Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Tue, 13 Mar 2018 09:25:34 +0100
Subject: [PATCH] OO-3352: fix LTI selenium test and add more explain about
 what Content-Security-Policy breaks currently in OpenOLAT

---
 .../org/olat/admin/security/_i18n/LocalStrings_de.properties  | 2 +-
 .../org/olat/admin/security/_i18n/LocalStrings_en.properties  | 4 ++--
 src/test/profile/mysql/olat.local.properties                  | 1 +
 src/test/profile/postgresql/olat.local.properties             | 2 ++
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/olat/admin/security/_i18n/LocalStrings_de.properties b/src/main/java/org/olat/admin/security/_i18n/LocalStrings_de.properties
index 84f34cb45df..32cc4e75618 100644
--- a/src/main/java/org/olat/admin/security/_i18n/LocalStrings_de.properties
+++ b/src/main/java/org/olat/admin/security/_i18n/LocalStrings_de.properties
@@ -16,7 +16,7 @@ sec.csp.plugin.type=plugin-type
 sec.csp.default.value=Wert immer dabei: {0}. Beispiel: {1}
 sec.description=W\u00E4hlen Sie den notwendigen Sicherheitslevel je nach Anforderungen Ihrer Institution. Um die h\u00F6chste Sicherheitsstufe zu erreichen m\u00FCssen s\u00E4mtliche untenstehenden Sicherheitsfunktionen eingeschaltet sein. 
 sec.description.headers=Diese Headers verhindert unischere Verh\u00e4ltnis wie ... 
-sec.description.csp=Achtung! Diese Konfiguration kann Kontent bloquieren. Es gibt Werte für jede Directive die nicht konfiguierbar sind, das sind die Werte dass OpenOLAT intern für sich selbst, für Video (youtube und vimeo) und MathJax braucht. Mehr Informationen finden Sie unter <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" target="_blank">Content-Security-Policy</a>.
+sec.description.csp=Achtung! Diese Konfiguration kann Inhalt wie LTI Kursbaustein, externe Seite und HTML Seite sperren. Dazu sind die folgende Kursbaustein zur Zeit noch nicht unterstützt: card2brain, edubase, edubook, GoToTraining, openmeeting, vitero and Paypal. Mehr Informationen finden Sie unter <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" target="_blank">Content-Security-Policy</a>.
 sec.force.download=Dateidownload in Ordner erzwingen
 sec.title=Sicherheitseinstellungen
 sec.topframe=Frame Einbettung per JavaScript verhindern
diff --git a/src/main/java/org/olat/admin/security/_i18n/LocalStrings_en.properties b/src/main/java/org/olat/admin/security/_i18n/LocalStrings_en.properties
index 4ac9e088521..07e294ccf6e 100644
--- a/src/main/java/org/olat/admin/security/_i18n/LocalStrings_en.properties
+++ b/src/main/java/org/olat/admin/security/_i18n/LocalStrings_en.properties
@@ -15,8 +15,8 @@ sec.csp.plugin.type=plugin-type
 sec.csp.script.src=script-src
 sec.csp.style.src=style-src
 sec.description=Choose the security level depending on the requirements of your institution. To achieve the highest security level, all of the security features listed below have to be activated.
-sec.description.csp=This configuration can block or break some content. A part of the configuration is fix, these are the values needed by OpenOLAT itself, the MathJax Library and to play video from youtue and vimeo. You will find more informations about content security policy under <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" target="_blank">Content-Security-Policy</a>.
-sec.description.headers=These headers prevetn unsecure behavior. 
+sec.description.csp=Warning! This configuration can block or break content like LTI course elements, external pages and HTML pages. The following course elements are currently not supported: card2brain, edubase, edubook, GoToTraining, openmeeting, vitero and Paypal. You will find more informations about content security policy under <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" target="_blank">Content-Security-Policy</a>.
+sec.description.headers=These headers prevents insecure behavior. 
 sec.force.download=Force file download in folders
 sec.strict.transport.sec=Prevent downgrade of HTTPS to HTTP with HTTP header
 sec.title=Security settings
diff --git a/src/test/profile/mysql/olat.local.properties b/src/test/profile/mysql/olat.local.properties
index 1997e76de1b..34e0cd44e1f 100644
--- a/src/test/profile/mysql/olat.local.properties
+++ b/src/test/profile/mysql/olat.local.properties
@@ -83,4 +83,5 @@ base.security.frameOptionsSameOrigine=enabled
 base.security.strictTransportSecurity=enabled
 base.security.xContentTypeOptions=enabled
 base.security.contentSecurityPolicy=enabled
+base.security.contentSecurityPolicy.frameSrc=http://lti.frentix.com
 
diff --git a/src/test/profile/postgresql/olat.local.properties b/src/test/profile/postgresql/olat.local.properties
index a6dd9ec8f7e..8c7763a890d 100644
--- a/src/test/profile/postgresql/olat.local.properties
+++ b/src/test/profile/postgresql/olat.local.properties
@@ -84,3 +84,5 @@ base.security.frameOptionsSameOrigine=enabled
 base.security.strictTransportSecurity=enabled
 base.security.xContentTypeOptions=enabled
 base.security.contentSecurityPolicy=enabled
+base.security.contentSecurityPolicy.frameSrc=http://lti.frentix.com
+
-- 
GitLab