Posted by jhchnc on September 29, 2012 at 11:38pm
A very simple solution to having an "AJAX"-like experience with the Quiz module is to render your quiz on a page in an iframe.
It took me a day of toying with different ideas to realize that this would be a very simple method to employ when looking for a solution to the problem of not requiring the user to reload an entire page as they go through a quiz.
It is also a very good method for D7 users, as it assures compliance with core Quiz changing going forward.
Comments
Sorry, iFrames introduce XSF
Sorry, iFrames introduce XSF attacks - you can read more on the subject here on OWASP:
https://www.owasp.org/index.php/Cross_Frame_Scripting
If truly AJAX, you can change the content of a DIV layer via JQuery UI.
Please explain how, because I don't think so
Iframes alone do not introduce XSF. If I make a website test.com, and include an iframe which loads test.com/bar on the page test.com/foo, then how, exactly, does that create an XSF attack.
Since I'm in control of both pages, how can an exploit like the one you've mentioned occur? I read your link, but I'm not going out to a third party.
Iframes are not bad. Sending your users to iframes made by bad people is.
The fact remains that using an iframe to create a seamless, non-page reloading experience is the only way forward right now with Drupal Quiz.
I concur. A normal iframe you
I concur. A normal iframe you create can only be hijacked for evil if someone can inject Javascript on your page and change the src and if they can do that, then you have much bigger problems. :-) If iframes were inherently bad, lots of smart security conscious people wouldn't use them for embeding, like: Google, YouTube, Vimeo, etc. Even the admin overlay in Drupal 7 is implemented as an iframe.