I just got a news email with an LTI 1.1.2 security update:
https://www.imsglobal.org/spec/lti/security-update/v1p0
It is not at all clear what security issues this is suppose to fix.
Does anyone know what security issue with LTI 1.1.1 this is suppose to fix?
Thanks,
Søren
PS: 1.1.1, have privacy issues when using http, but that can easily be fixed with https.
The names 1EdTech® and IMS Global Learning Consortium®, the 1EdTech logos, Better Learning From Better Learning Technology®, TrustEd Apps™, 1EdTech TrustEd Apps™, Learning Tools Interoperability®, LTI®, IMS LTI®, IMS Learning Tools Interoperability®, OneRoster®, Caliper Analytics®, Question & Test Interoperability (QTI)®, QTI®, Common Cartridge®, Competencies and Academic Standards Exchange®, CASE®, Competencies and Academic Standards Exchange (CASE)®, Accessible Portable Item Protocol (APIP)®, AccessForAll®, Badge Connect®, Comprehensive Learner Record Standard™, and CLR Standard™ are trademarks of 1EdTech Consortium, Inc. in the United States and/or other countries. All other trademarks and registered trademarks are the properties of their respective owners.
For information on the 1EdTech trademark usage policy, see our trademark policy page.
Security issues with LTIv1p0 and v1p1.1.1
The security update describes the issue as a cross-site request forgery threat that is applicable to all LTI versions prior to v1.3
See the document at https://www.imsglobal.org/spec/lti/security-update/v1p0