H5P and Drupal

Hi,

I am using H5P on Drupal 7,8 and 9. 

Is there anyway to prevent the H5P content being viewed by anonymous user using the following URLs with the embed:
For example: www.domain.com/h5p/embed/8626

I know this might be a question for Drupal, but I guess also Wordpress is using iframe for showing content?

This way anyone can see the content because it is just the H5P scripts. Has anyone been able to limit the visibility of these embed urls?

EDIT: and the problem here is that I still need the embed feature because I have to show the h5p content on my site using iframe.

Content types: 
otacke's picture

Hi!

Seeing your edit I figure that you already figured that deactivating embedding for the content would also prevent accessing that link.

If you are embedding content from server A (where it's actually located) on a different server B, then you could configure server A to reject requests to URLs matching https://www.domain.com/h5p/embed/<something> that are not coming from server A itself (different IP address). That can be done by configuring a .htaccess file (or the server configuration) appropriately - has nothing to do with H5P per se. It should also work by setting an appropriate Content Security Policy - also not specific to H5P. And on WordPress, you should also be able to use the embed_access hook - but I don't think that's available in the Drupal plugins.

Cheers,
Oliver

Actually I didn't yet figure out, "that you already figured that deactivating embedding for the content would also prevent accessing that link"
How can I deactivate embedding? I can't see that option anywhere in D8. Only in the settings page it has "embed button" controlled by author, default is off" but there is no embed button...

Actually my H5P content is on a same server. So the H5P should work from iframe, on a same server but not straight from the URL.

I guess it is impossible to limit that...

otacke's picture

Hi jukka79!

In that case, Drupal 8 seems to behave differently. If you deactivate the embed button (if controlled by the author, there's a separate option below the content) on other platforms, then the embed link doesn't work. In that case, that's something that should potentially be changed in the plugin.

I don't think your visitors will have the same IP address as your server (unless they spoof it), for instance, so if I am not mistaken, you can still restrict access (to your own server's IP address). I never tried that, so I am not entirely sure what a request will look like if it's generated by your own server. Might be worth a try at least.

Best,
Oliver

I think that if you disable embedding on H5P.org for example this content here: https://h5p.org/accordion

Anyone can still access/embed that content using this URL https://h5p.org/h5p/embed/6724  even if you set from Drupal permissions that the page is not accessible by visitor users...unless you disable the whole embedding from all?

My problem is still that my Drupal 8 theme is using <iframe> tags to show the h5p content from URLS  ( /h5p/embed/* )
and it is not possible to limit accessing those urls so that only my server whould show them, but a visitor accessing mydomain.com/h5p/embed/323 would get 403

 

 

otacke's picture

Hi!

You're correct with your embedding option assumption, but not "on other platforms" as I mentioned. It would work as you expect on WordPress, for instance, hence my hint that the Drupal (8) integration is working differently.

And I have well understood what you are doing and answered accordingly. Have you checked what IP address your server registers for the caller when your server itself calls the iframe? If it is its own IP address, you can restrict calls to that IP address and deny acces otherwise via .htaccess settings or server settings. The same should work for X-Frame-Options, Content Security Policy, etc.

Best,

Oliver 

Hi,

Thank you for your answer.
I haven't checked the IP solution, because my understanding is that the user is the caller of the iframe, not the server.
So if I allow the iframe content only to be opened from the server IP, then the user's wont see it.

I might be wrong, but I guess that is how the iframe works, it is like normal request. 

otacke's picture

Hi jukka79!

I haven't checked the IP solution, because my understanding is that the user is the caller of the iframe

Then use the "Sec-Fetch-Site" header or the "Referer" header to distinguish who's calling.

Cheers,
Oliver