Hey everyone,

I'm excited that the latest version of the module includes support for iPaper secure. However, when I upload a document through the iPaper module (by creating an iPaper node) with the "Yes - Prevent embedding" option selected, I get the following error message when I try to view the document in my account at Scribd.com:

"Security failure - This is a secure document but was embedded without security parameters"

Any idea what could be causing this? Are we missing a parameter? Does this error message cause any additional security problems besides not being able to view the document within my Scribd account?

I've confirmed that this error message only occurs when uploading a document with the secure option selected.

Thanks for the great module!

Cheers,
Ben

Comments

rares’s picture

Can you confirm that when you are viewing the respective document the module includes two extra lines in the Javascript, like:

scribd_doc.addParam('use_ssl', true);
scribd_doc.grantAccess('guest', '5c9c878d769ad5038f84c1c113a3e304', '70da3d07850c2f7e8c91897476eae751');

BenK’s picture

rares,

Thanks for the note. Yes, those two lines are included when looking at the page source.

Of greater concern, however, is that the protection against embedding on other websites does not appear to be working. I tried copying from the page source all of the embed code and then pasting it on another website. The document was easily embedded on the second website without any security protections in place.

So at least in my installation of the module, it appears iPaper secure isn't working properly. Any ideas about the security parameters we're apparently missing?

Cheers,
Ben

BenK’s picture

I just did some additional testing.... On a different computer, when trying to view the document on a site that should NOT be allowed to embed, I get the following error message:

Error
Security failure - try clearing your cookies

I'm not sure if this means the iPaper secure parameters are functioning properly in some instances. Should the user be able to steal the embed code, paste it on another website, and then view the document as long as the user was on the same computer?

Therefore, I'm wondering if security.setAccess could be related to the security parameters we're missing. Here's the link to the documentation:

http://www.scribd.com/developers/api?method_name=security.setAccess

Do we need to use security.setAccess to disable access once a user leaves the iPaper node?

Thanks again for your help!

Best,
Ben

rares’s picture

Hi, I think the setAccess method is supposed to be used after grantAccess, which goes in the embed code.
The "Security failure - try clearing your cookies" is exactly what is supposed to show if a secure document and its embed code is taken to a different computer. I thought I would get the error even if it was in a different browser, but that's not always the case. However, if you have a different IP address then it will certainly trigger. So yes, the parameters are working in some sense.
Nevertheless, I have also had the problem you are describing with "embedded without security parameters". I am not able to replicate it anymore though. On the test site: http://ipaper.rarespamfil.com/, I am able to use the security features properly. You can try creating new files there and write back to say what you get.
One other thing that might be worth trying is disabling caching for your site from /admin/settings/performance. I know caching can create problems for anonymous users, so in the next release I will try to write code that disables it for ipaper nodes (any ideas?).

rares’s picture

I should add that in order for the secure embedding to work you absolutely need to have the Secret Key entered on the module configuration page.

BenK’s picture

Hi rares,

Thanks for the helpful comments. Yes, I definitely have the Secret Key filled in on the module configuration page.

I'll try out your test site, but I'm not sure if I can fully test things without access to the corresponding Scribd.com account. I'm not getting the "embedded without security parameters" error on the embedded site itself -- rather, I'm getting the error message when try to view the document at my account on Scribd.com. This is problematic for me because I need to keep track of the various documents at my Scribd.com account and need to be able to view all documents there.

I'll also try disabling the cache, too.

One other related issue: My use case involves granting access to an iPaper node (using the Content Access module) for a limited time. (We're selling products on our site that would be displayed as an iPaper node.) So I'm concerned that someone could copy the iPaper secure code and then paste it on their own site to gain access that never expires (as long as they never deleted their cookies). Even though no one else would be able to view the iPaper document on the user's site (other users would get the "Security failure - try clearing your cookies" error), the user himself would still be able to view the document because they were originally granted access on my site.

Could a solution be to use security.setAccess to disable access after a configurable period of time? If a user still had access to the iPaper note their access would be re-enabled when they viewed the document again.

Thoughts?

Thanks,
Ben

rares’s picture

hello:

- unfortunately I did not read your question carefully enough in the beginning
"I get the following error message when I try to view the document in my account at Scribd.com"
This is also what I get (when I am logged in, of course), and I think it is by design. The module can't do anything about whether or not scribd.com includes that code, so this is something you would have to ask about in the Scribd Google Group. I also find the behavior a little weird -- perhaps they are willing/planning to change this?
Sorry I didn't respond correctly, my impression was that you weren't able to view the document on your own site.

-security.setAccess will clear access for someone, so if they view the same page afterwards they shouldn't be able to see it anymore. Because the embed code will look the same whether or not were to re-enable the access, it must follow logically that the only way to re-enable access is through security.setAccess (or by doing the embed such that your first grantAccess parameter is a different user ID (which can be accomplished by hacking the module).
The solution I envisage to what you're describing would involve making an secure.setAccess call when you deny access to the iPaper (maybe put that in the 403 page?) and another one when you display any iPaper node to re-enable access (maybe use a cookie set on the 403 page to check if the user has been denied access?).
Note that if you're having problems restricting access on ipaper nodes (i.e. generating 403 errors) with other modules you should see #485538: iPaper incompatible with node access system and potentially ask about that there.

BenK’s picture

Hey rares,

I submitted a help request to Scribd on the "Security failure - This is a secure document but was embedded without security parameters" message and here is the reply I got back:

"I've submitted this issue to our developers for investigation. It appears to be related to the extra security layer surrounding these documents; their initial investigation suggests that the viewer on our site is not expecting the security to be there. You should still be able to view the documents on your own site, where the embedded viewer has all the security information necessary to view them. And you should still be able to manage the documents from our site."

--Customer Care Representative

So it appears that the Scribd site doesn't actually have the security protocols necessary to view an iPaper secure document. I hope they fix this at some point, but I guess this is expected behavior for now.

Thanks,
Ben

rares’s picture

Status: Active » Closed (won't fix)

so we'll stay put, at least for now.

cscarrillo’s picture

Version: 6.x-1.0 » 6.x-1.1
StatusFileSize
new15.57 KB

Error with Ipaper module running in Drupal OpenPublish (See attached). PDF files were displaying properly at one point in time now I get the same error for all of them. Anyone available to help?

Thanks,
CC