[Building Sakai] Discussion how to handle X-Frame in the New IFrame tool (SAK-21624)

[Charles Severance]

As I prepare to move the new portlet-based iframe tool back to the trunk, it is time to think about how to handle X-frame support.

Clearly the idea is that Sakai will check the to-be launched URL destined for an iframe, and if it is somewhere other than the current server, do a HEAD request to the URL, wait about a second, and then based on the X-Frame setting, either put it in an iframe or force a pop-up.  Of course if the user indicated "pop-up" - then there is no need to check.

So - should this be done each time a user selects the tool?  Or should this be done once each time the URL is changed and stored in a property?   Do we expect this value to change form launch to launch?

How long should we wait for a timeout as a default?  If we wait 5 seconds, it might make the page seem really slow.  We *could* do this via Ajax - it would be tricky - I would prefer to do it server-to-server for maximum quickness.

Should I do the same for Basic LTI?  How should I do it?  Of course that is a bit weird because BLTI is started vis POST and not a GET and many of the launch URLs return an error message if the secret does not match.   LTI is trickier....

Thoughts/comments?

/Chuck