Extend the SEB JavaScript API

[jhoobergs]

First, I started implementing the Config Key check in our LMS by using the X-SafeExamBrowser-ConfigKeyHash header before I noticed the comment on the SEB JavaScript API. As the header does not seem to work on iOS anymore---this is still hypothetical in https://safeexambrowser.org/developer/seb-config-key.html ---I will need to switch to the SEB JavaScript API.

The API does, however, not seem to allow me the same level of 'safety' as the headers used to do. Let me (try to) explain: once an exam is started, the answers of the students are saved with a post request---let's assume with endpoint /save. In my current implementation I thus check the header of the post request and validate it with host/save as absolute url. With the SEB JavaScript API, I don't think this is possible, as the /save url is not loaded as a page in the browser. Am I missing something here? It seems that the API only allows to check whether the valid configuration is used when the exam is started / loaded.

One way to solve this would be to also expose a SafeExamBrowser.security.computeConfigKeyForUrl(absolute_url) function in the SEB JavaScript API. I would then use this to get the hash which I now get in the header, and send it as part of the body of the post request.

EDIT: apparently a similar suggestion was already given before in a discussion in the windows repository. See SafeExamBrowser/seb-win-refactoring#472 (comment)

The reason why I want to be able to also compute the hash for any api calls I make, is to prevent people from manually making the API calls outside of SEB. So I need to be able to detect whether SEB (with the right configuration) is being used when the API calls are being made.

To counter the brute force issue mentioned in the other thread, it would be sufficient to be able to generate the hash for urls starting with the same base url as the one of the page. On top of this, you could limit it to a small number of calls, as you will probably not need more than 10 different API endpoints.

[danschlet]

Your suggestion actually sounds reasonable and you explained well, why such an extension would make sense, thank you for that!

I would suggest goint with:

SafeExamBrowser.security.configKeyForRelativeUrl(relative_url)

or similar and directly use the relative part of the URL as parameter.

We will evaluate this, have to see if there are possible roadblocks for example regarding iFrames (where we have some limitations especially with the macOS/iOS browser engine).

[jhoobergs]

Thanks!