Sharebar?

Dynamic Content-Security-Policy frame-ancestors for LTI tool

Dynamic Content-Security-Policy frame-ancestors for LTI tool

Hello!

Our LTI 1.3 tool web application sets the http header "Content-Security-Policy: frame-ancestors". In the past we could get away with hard coding it with values like "https://*.instructure.com" but we need to support arbitrary domain names. For arbitrary domain names we will need a dynamic frame-ancestors. For example, if the page loading our tool is "https://lms.ltirocks.com" then our frame-ancestors will need to contain "https://lms.ltirocks.com"

I'm trying to avoid the effort of storing this value in a database. I want to instead derive if from the data that is already present in the interaction between LMS and tool. Values from the id_token that is sent from the LMS as part of the OIDC interaction seems promising.

From the id_token there is:
"iss" e.g., "https://lms.ltirocks.com"

"https://purl.imsglobal.org/spec/lti/claim/launch_presentation": {
"return_url": "https://lms.ltirocks.com/courses/2/external_content/success/external_too...",
...

Also, maybe use the http 'referer' header from a safe context?

Right now I'm planning to use the domain name from the 'return_url' parameter as I think this has the greatest chance of containing the URL of the page loading our tool. I know that parameter is optional in the LTI spec, but it is present in the LMSes we support and it always seems to use the domain name of the page loading our tool.

What do you think?