Can we expose App-Signature-Key through a JavaScript API? #494
gabrielsieben
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
For my custom LMS integration; it would be incredibly useful if there was an API exposing App-Signature-Key; similar to
SafeExamBrowser.security.appSignatureKeyor similar.The reason for this is to skip the login screen when a user clicks "Start exam" in a remote BYOD scenario. It's important for me to verify the integrity of the client due to the existence of several public patch tools for current SEB versions. My current workaround is to create a generic SEB configuration profile which is used for every quiz in the app (with BEKs recorded for each platform), and then using the IP address of the incoming connection to figure out if the user is the same.
This has obvious weaknesses - if two users click "Start exam" on the same network within a minute of each other, they might be logged in as each other. If there is a VPN extension in the browser (or Apple's built-in iCloud Private Relay); that needs to be turned off as it could interfere. It would be much better if I could provide a server-generated config, but I would have no idea what the BEK would be and couldn't prevent patched versions. Having
SafeExamBrowser.security.appSignatureKeywould allow verifying the client while still server-generating the config, fixing all of my problems.Thoughts? (Or, if there's a better way to handle this, what would it be? Alternatively, similar to how we have BEK, maybe we could have the key hashed with the current URL?)
Gabriel
Beta Was this translation helpful? Give feedback.
All reactions