https://redmine.gc.cuny.edu/https://redmine.gc.cuny.edu/favicon.ico2018-06-19T20:26:44ZCUNY Graduate Center - Project Tracking SystemCUNY Academic Commons - Feature #9947: Install H5P quiz pluginhttps://redmine.gc.cuny.edu/issues/9947?journal_id=375682018-06-19T20:26:44ZBoone Gorgesboone@gorg.es
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Reporter Feedback</i></li></ul><p>The H5P platform uses HTML5 and JavaScript to share content of different "Content Types". Allowing non-admins to upload arbitrary JavaScript and execute it on the front end introduces a number of serious security issues.</p>
<p>H5P's Content Types are not part of the WordPress plugin. As such, there's no way to perform a static security scan on them. These types are either pulled dynamically from the official H5P library, or are uploaded by users, who may create and share them.</p>
<p>If we want to allow H5P on the Commons, we need to make decisions about the level of risk (or, conversely, trust) we want to take on.</p>
<p>1. We could allow Content Types from the official H5P library. This involves trusting that the maintainers of the H5P library don't allow for security vulnerabilities. (Most are developed by their "Core Team", though it sounds like there's a push to accept more Types developed by the "community" - ie, third parties.)</p>
<p>2. We could allow arbitrary H5P uploads from Commons users. This involves trusting that our users aren't malicious (or dupe-able).</p>
<p>I'd strongly recommend against 2. As in the case of custom WP plugins/themes, we should be doing a full code review of any items provided by members of the Commons community. Members who don't like this policy are always welcome to set up their own WordPress sites, where they're in full control.</p>
<p>As for 1: I don't know enough about the H5P project <a class="external" href="https://h5p.org/about-the-project">https://h5p.org/about-the-project</a> to know what to think. As of right now, a realistic appraisal of the risks is probably that there's next to no risk. But if if there <strong>were</strong> to be a breach, now or in the future, the ramifications would be very serious. Wearing the conservative hat of the person who has to deal with potential fallout, I'd recommend against its use. But if there's a sense that this would be a valuable tool for many Commons users, the risk/overhead may be worth it.</p> CUNY Academic Commons - Feature #9947: Install H5P quiz pluginhttps://redmine.gc.cuny.edu/issues/9947?journal_id=375692018-06-19T20:48:31ZMatt Goldmattgold@gmail.com
<ul></ul><p>Thanks so much for reviewing this so quickly, Boone. I'm meeting with Luke tomorrow, so we can discuss then.</p> CUNY Academic Commons - Feature #9947: Install H5P quiz pluginhttps://redmine.gc.cuny.edu/issues/9947?journal_id=376482018-06-26T14:57:49ZBoone Gorgesboone@gorg.es
<ul><li><strong>Target version</strong> set to <i>Future release</i></li></ul> CUNY Academic Commons - Feature #9947: Install H5P quiz pluginhttps://redmine.gc.cuny.edu/issues/9947?journal_id=389712018-09-11T15:01:12ZLuke Waltzerlwaltzer@gc.cuny.edu
<ul></ul><p>I'd like to re-explore supporting this tool, as the functionality offered by H5P keeps coming up. I plan to ask Laurie to get a version up an running on a test domain....</p> CUNY Academic Commons - Feature #9947: Install H5P quiz pluginhttps://redmine.gc.cuny.edu/issues/9947?journal_id=406942018-11-26T20:22:42ZBoone Gorgesboone@gorg.es
<ul><li><strong>Related to</strong> <i><a class="issue tracker-3 status-8 priority-4 priority-default closed" href="/issues/10749">Support #10749</a>: Plugin Request - H5P</i> added</li></ul> CUNY Academic Commons - Feature #9947: Install H5P quiz pluginhttps://redmine.gc.cuny.edu/issues/9947?journal_id=472322019-11-20T21:14:50ZBoone Gorgesboone@gorg.es
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-4 priority-4 priority-default" href="/issues/12121">Feature #12121</a>: Embedding H5P Iframes on Commons Site</i> added</li></ul>