Project

General

Profile

Feature #12121

Embedding H5P Iframes on Commons Site

Added by Laurie Hurson over 1 year ago. Updated 1 day ago.

Status:
Reporter Feedback
Priority name:
Normal
Assignee:
Category name:
WordPress Plugins
Target version:
Start date:
2019-11-20
Due date:
% Done:

0%

Estimated time:

Description

Hi All,

A professor reported that she is unable to embed an H5P iframe on her site. Her email is below:

"I talked to you yesterday at CSI's OER Symposium about my issue embedding tutorials into my course. My course on commons is: https://lib102.commons.gc.cuny.edu/ (I am still in the process of designing it).

The issue is I am not allowed to save any embedded tutorials on my course site. The tutorials I tried to embed are from this OER website, plus some tutorials I am creating: https://owl.excelsior.edu/plagiarism/plagiarism-how-much-do-you-know/

I tried embedding on my own wordpress website: http://judyxiao.com/​ and I had no issues."

I know we have been been doing some mild exploring of H5P but that it is not yet available on the Commons. Could we allow professors to embed h5p iframes from another source as a workaround since the h5p libraries (which I think presented security isues) are not hosted on the Commons? I also remember that the Commons might strip out iFrames when saving a page for security reasons but is there a way to allow professors to embed h5p iframes?

quizz and survey.png (44.4 KB) quizz and survey.png scott voth, 2020-04-17 01:46 PM

Related issues

Related to CUNY Academic Commons - Feature #9947: Install H5P quiz pluginReporter Feedback2018-06-18

History

#1 Updated by Boone Gorges over 1 year ago

#2 Updated by Boone Gorges over 1 year ago

  • Status changed from New to Reporter Feedback

In terms of security, allowing arbitrary iframe embeds is much more dangerous than simply installing the H5P plugin. With H5P, at least we can assume that the shared libraries of H5P content are non-malicious and safe to embed on the Commons. And it's not possible to parse a snippet of iframe or embed code and detect reliably whether the content is from H5P. In the specific case of https://owl.excelsior.edu/plagiarism/plagiarism-how-much-do-you-know/, the embed code points to a WordPress endpoint (admin-ajax.php?action=h5p_embed), but (a) this indicator only works if the source content comes from another WP site using the H5P plugin, and (b) it's not reliable, in that a malicious site could serve up any content whatsoever, masked behind a URL of this format.

If the specific user in question has a list of items she'd like embedded, it's possible that we could set up one-time shortcodes that'll generate the necessary embed code. This is obviously not open-ended, but it might work if it's a relatively small number.

As noted in https://redmine.gc.cuny.edu/issues/9947#note-1, if there's a general push to support H5P content, we should have a team discussion about risk tolerance vs the positive impact of H5P use.

#3 Updated by Laurie Hurson over 1 year ago

Thanks for this info Boone.

Just to clarify, would installing the h5p plugin allow this professor to embed h5p content from another source rather than rebuilding it all herself? If so, installing the plugin might be worthwhile, even if it was only available on her site and not on the Commons for wider use until there is a more extended conversation about making it available on the Commons.

I am not sure how many items she is attempting to embed but I can ask if that is the easier route to take now rather than installing the plugin.

I wouldn't say there is a big push or wide interest in H5P right now; I have not had anyone ask about it in a while. That said, I do think its worthwhile to return to the possibility in the future since it would likely be a huge plus for many instructors to be able to offer low stakes quizzing.

#4 Updated by Boone Gorges over 1 year ago

Just to clarify, would installing the h5p plugin allow this professor to embed h5p content from another source rather than rebuilding it all herself?

By default, the plugin allows you to upload your own H5P content, or to load it from the official H5P library. To my knowledge, neither of these would include embedding of arbitrary H5P content from the owl.excelsior.edu page - the Commons site would either have to load the content from the same library where that H5P content is distributed (if it exists), or the H5P files would have to be sent by the author to the Commons admin and then uploaded to the Commons site. As noted in #9947, I strongly recommend against the functionality that would allow Commons users to upload H5P libraries (the latter situation described here), as there's no way to verify or even assume the security of those files. Generally speaking, I don't see a future where we'd ever allow users to arbitrarily embed content from a third-party site - third-party content can change, can disappear, can be throttled (http://altlab.com/hotlinking.html), etc.

If embedding is impossible in this case, there's always the option of linking out.

#5 Updated by Boone Gorges over 1 year ago

  • Target version set to Not tracked

#6 Updated by Laurie Hurson over 1 year ago

Okay, so just to recap: the plugin would allow users to upload content or build content from the h5p library offered through the plugin. The Commons will not allow users to upload H5P content due to security concerns.There is a way to download an .h5p file by clicking "reuse" on the owl page but I assume this is what you mean by allowing commons users to upload? So the plugin only really facilitates building h5p content directly on the Commons.

Follow up question: if the h5p content can be embedded with an iframe, we also do not allow that on the Commons because the content within the iframe could change. How does this differ from other embeds we have allow on the Commons from things like Google Doc, Padlet, Voicethread, etc?

#7 Updated by Boone Gorges over 1 year ago

From my understanding, there are three ways to get H5P content in the plugin:
1. Create it. See "simple editor" screenshot at https://wordpress.org/plugins/h5p/
2. Get it from the H5P Library, which is a curated library of content from https://h5p.org/content-types-and-applications. This corresponds to the "browse content types" screenshot at https://h5p.org/documentation/setup/wordpress
3. Upload .h5p files created by yourself or others. This corresponds to the screenshot just before the "Add H5P content..." header at https://h5p.org/documentation/setup/wordpress This also corresponds to clicking "reuse" on the owl page.

I think 1 is harmless (this needs verification) and should be no problem to allow. 3 is potentially very problematic and should not be allowed. I leave the wisdom of 2 to the judgment of the group. See https://redmine.gc.cuny.edu/issues/9947#note-1

Follow up question: if the h5p content can be embedded with an iframe, we also do not allow that on the Commons because the content within the iframe could change. How does this differ from other embeds we have allow on the Commons from things like Google Doc, Padlet, Voicethread, etc?

The primary reason for not allowing arbitrary iframes is related to security. We've made the decision that Google, Voicethread, etc are trustworthy enough that the risk of malware injection is low. We can continue to add site-specific embeds on a case-by-case basis. The argument that "the content within the iframe could change" is secondary, but is related to the security issue: content embedded from OWL may be safe today, but if the site is hacked tomorrow, it suddenly becomes malware.

#8 Updated by Laurie Hurson over 1 year ago

I circled back to this professor to get more info on how many quizzes she was hoping to embed and she reported she would look into other options for now. She is going to try out a quiz survey plugin that is already available on the Commons and I will plan to follow up with her to see how that goes.

We may want revisit option 2 and the possibilities for h5p libraries outlined by Boone at some point, as it seems like there is continued interest in quizzing functionalities.

#9 Updated by Marilyn Weber over 1 year ago

We have another request for this:

"Vivian Chan

Hi. Is it possible to embed H5P content in my Wordpress site? I believe we need to install a plugin to make this work https://h5p.org/wordpress."

I replied asking her to tell us more.

#10 Updated by Laurie Hurson over 1 year ago

Thanks for the update!

From what I have learned from Boone, the H5P plugin presents security issues depending on how professors want to add the quiz to the Commons. Since Vivian asked about embedding or uploading quizzes, I don't think we can facilitate this due to the security risks.

If she is willing to build the quizzes directly within the Commons she could try out an alternative quizzing plugin - Quiz and Survey Master. But there are still some kinks to work our with this plugin and it does not work as well as h5p.

Boone - is there a way we can give users access to the h5p plugin but restrict access to the H5P libraries and embedding? Or does plugin activation automatically make libraries available?

#11 Updated by Marilyn Weber over 1 year ago

All - here's the link to Scott's attempt to get updated documentation for Quiz and Survey Master:
https://wordpress.org/support/topic/documentation-link-broken-5/

(Boone, this came up on the call just now. The person who opened the Zendesk ticket hasn't been in touch since Monday's original query, so there appears to be no urgency.)

#12 Updated by scott voth over 1 year ago

Hi Marilyn - I just looked and it seems that they resolved the issue. The link is now working. See attached. (This is about the Quizz and Survey Plugin that we do have on the Commons.)

#13 Updated by Boone Gorges over 1 year ago

Boone - is there a way we can give users access to the h5p plugin but restrict access to the H5P libraries and embedding? Or does plugin activation automatically make libraries available?

This might be possible with some custom development, but it's not possible out of the box.

#14 Updated by Marilyn Weber 9 months ago

Here's another request for the plugin:

- What's the name of the plugin/theme?
Interactive Content - H5P

- In a few words, what does it do?
Description
One of the great benefits with using H5P is that it gives you access to lots of different interactive content types, such as presentation, interactive video, memory game, quiz, multiple choice, timeline, collage, hotspots, drag and drop, cloze test (fill in the blanks), personality quiz, accordion, flash cards, audio recorder.

- How is the plugin/theme different from what's already provided on the Commons?
Another great benefit with H5P is that it allows you to easily share and reuse content. To use content created with H5P, you simply insert a shortcode [h5p Id="1"] where you wish for the content to appear. To reuse content, you just download the H5P you would like to edit and make your changes - e.g. translate to a new language or adjust it to a new situation.
H5P is:
  • Open Source
  • Free to Use
  • HTML5
  • Responsive

- What's the potential impact?
Who will use it? Instructors /Students

- Who is the plugin author?
Contributors & Developers
"Interactive Content - H5P" is open source software. The following people have contributed to this plugin.
Contributors

Contributors

- Say a little bit about the release history and popularity of the plugin. How many times has it been downloaded? When was it last updated?

https://wordpress.org/plugins/h5p/advanced

#15 Updated by Marilyn Weber 9 months ago

This is from
Sharon Jorrín
Media Accessibility and Technology Assistant
CUNY School of Professional Studies

I replied:
"Looks like you copied and pasted many of your answers there. I see that there are security concerns with this plugin, so please give us a better idea of who is requesting it, if they have tried other plugins, and what it is need for. Thank you! "

#16 Updated by Boone Gorges 8 months ago

  • Target version changed from Not tracked to 1.18.1

Thanks, Marilyn. Please let the user know that the dev team has received the request and will continue to investigate options for H5P on the Commons. I'm going to slot this into the release following 1.18, in hopes that we might be able to come up with some workable compromise regarding security in the relatively short term.

#17 Updated by Boone Gorges 7 months ago

  • Target version changed from 1.18.1 to 1.18.2

#18 Updated by Boone Gorges 7 months ago

  • Category name set to WordPress Plugins
  • Assignee set to Boone Gorges
  • Target version changed from 1.18.2 to 1.18.3

#19 Updated by Boone Gorges 6 months ago

  • Target version changed from 1.18.3 to 1.18.4

#20 Updated by Boone Gorges 6 months ago

  • Target version changed from 1.18.4 to 1.18.5

#21 Updated by Boone Gorges 5 months ago

  • Target version changed from 1.18.5 to 1.18.6

#22 Updated by Boone Gorges 5 months ago

  • Target version changed from 1.18.6 to 1.18.7

#23 Updated by Boone Gorges 4 months ago

  • Target version changed from 1.18.7 to 1.18.8

#24 Updated by Boone Gorges 4 months ago

  • Target version changed from 1.18.8 to 1.18.9

#25 Updated by Boone Gorges 3 months ago

  • Target version changed from 1.18.9 to 1.18.10

#26 Updated by Boone Gorges 3 months ago

  • Target version changed from 1.18.10 to 1.18.11

#27 Updated by Boone Gorges 2 months ago

  • Target version changed from 1.18.11 to 1.18.12

#28 Updated by Boone Gorges about 2 months ago

  • Target version changed from 1.18.12 to 1.18.13

#29 Updated by Boone Gorges about 1 month ago

  • Target version changed from 1.18.13 to 1.18.14

#30 Updated by Boone Gorges 16 days ago

  • Target version changed from 1.18.14 to 1.18.15

#31 Updated by Boone Gorges 1 day ago

  • Target version changed from 1.18.15 to 1.18.16

Also available in: Atom PDF