…me in view.php

…C-0019)

…ermissions-Policy

…fore DEC-0060

… secure->legacy (watchdog)

…y (DEC-0060)

…DEC-0059 Route A)

… not the site origin

…g, content_headers, bridge re-extract)

…load fails

On a host whose service worker cannot serve an opaque-origin iframe (e.g. the
PHP-WASM Moodle Playground), the token URL falls through to a 404 and the in-iframe
shim never announces 'ready'. The relay watchdog already reveals the
"blocked by security configuration" notice instead of degrading to same-origin, but
it waited a flat 8s, during which the iframe sat blank with no notice -- so secure
mode "looked like it worked" for several seconds.

The watchdog now reacts to the iframe element's 'load' event (which fires even when
the navigation ends in an error page such as that 404) and grants only a short grace
(~2.5s) for the handshake; if 'load' never fires it still falls back to the 8s cap.
The load listener attaches immediately if the iframe is present, otherwise on
DOMContentLoaded (the relay is injected inline before the iframe element).

Verified empirically in the Playground via Chrome DevTools: the iframe is built in
secure mode (opaque, sandbox without allow-same-origin), tokenpluginfile returns 404,
and the notice is shown with the iframe hidden -- the token does not help there
because the blocker is the service worker, not the cookie (DEC-0060).

Vitest 52/52 (two new tests cover the load-driven fast path).

The Playground's PHP-WASM service worker cannot serve an opaque-origin iframe, so
secure mode there only ever shows the "blocked by security configuration" notice. Set
iframemode=legacy in the blueprint setConfigs so the preview actually renders the
package and is useful. This is a Playground-only override applied at boot; real Moodle
keeps the secure default.

…e the iframe

Defense in depth for secure mode: the package is served via tokenpluginfile with an
executable CSP, so opening the token URL top-level (e.g. in a new tab) would run author
JS as Moodle's origin. Add a `sandbox allow-scripts allow-popups allow-forms` CSP
directive (secure mode + HTML only, via content_headers) so the document keeps an opaque
origin however it is loaded. Tokens mirror the secure iframe sandbox; the SCORM
postMessage bridge is unaffected because the iframe is already opaque. Unit test asserts
the directive is present in the secure CSP.

Raised while reviewing the sibling omeka-s-exelearning secure-iframe work; applied here
for consistency across the eXeLearning embedders.

In secure mode the package runs in an opaque-origin sandbox, which leaves
YouTube/Vimeo players and PDFs blank (the sandbox flag propagates to nested
iframes; Chrome also blocks its PDF viewer without allow-same-origin). Promote
those embeds to the trusted parent: a shim baked into the package replaces
whitelisted-video / .pdf iframes with placeholders and reports their geometry
via postMessage; an inline relay on the activity page validates + rebuilds the
URL and overlays the real player inline over each placeholder.

- js/exe_embed_shim.js: in-iframe, self-activates only in the opaque origin
  (dormant in legacy); dual-export for Vitest.
- js/exe_embed_relay.js: parent-side validate (host whitelist + canonical URL
  rebuild + same-origin package-file invariant for PDFs) and inline overlay.
- package_manager + scorm_injector: bake the shim + whitelist into every page
  head, alongside (and independent of) the SCORM bridge.
- player_iframe::embed_whitelist(); relay inlined in view.php (secure only).

PDFs: local package PDFs always render; any https .pdf renders; same-origin
PDFs must belong to this package (served as application/pdf, never executable).

Tests: Vitest validator/promote (exe_embed.test.js) + SCORM coexistence guard
(embed_scorm_coexistence.test.js); scorm_injector_test asserts the shim is baked
without dropping the SCORM bridge. Documented in DEC-0061. Fixtures under
research/fixtures/elpx/.

mod_exelearning serves package assets with relative URLs (unlike the wp/omeka
proxies, which rewrite to absolute), so a locally-packaged PDF was reported to the
parent relay as a relative src. The relay resolves URLs against the host page, not
the content, so it rejected the relative path and the local PDF did not render.

The shim runs inside the content, so it now resolves each src against the content
location and reports the ABSOLUTE URL. Verified live (secure mode): the embeds demo
renders 4 players inline (YouTube, Vimeo, remote PDF, local package PDF). Adds a
Vitest regression test (a relative src is reported absolute). Updates DEC-0061 with
the live results, including the SCORM scoring validation (track.php saved a full
attempt; gradebook + attempts report reflect it) confirming the embed shim does not
break scoring.

…dow first

The vendored pipwerks API.get() started its lookup at win.parent and skipped the
current window. In secure (opaque-origin) mode the SCORM API is provided locally
as window.API by the in-iframe bridge shim (DEC-0059) and the Moodle parent is a
cross-origin/opaque frame, so reaching into parent.API threw SecurityError,
init() never activated the connection, and every LMSSetValue/LMSCommit became a
silent no-op -- no attempt rows were ever written. Legacy (same-origin) mode
masked it because the parent there hosts the API.

Restore the standard pipwerks order: try find(window) first, then fall back to
the parent and opener, with every cross-origin hop wrapped so an opaque ancestor
can never abort the lookup. Legacy keeps working: with no local API, find(window)
walks up to the same-origin parent exactly as before.

Add tests/js/scorm_api_wrapper.test.js (loads the vendored wrapper with a
controllable window) covering current-window-first, opaque-parent safety, the
null fallback, the legacy walk-up, and the full init()/set() save path. Document
the root cause and the DEC-0059 verification gap in DEC-0062.

…eometry

Extend the external-embed allowlist with Dailymotion (www/geo.dailymotion.com,
/embed/video/{id}) and EducaMadrid/Mediateca de Madrid (mediateca.educa.madrid.org,
/video/{id}/fs), each with a per-provider canonical-URL validator in the relay so
only a reconstructed, known-good embed URL is ever rendered. Clamp the relayed
player overlay to the placeholder's rect (defence in depth against geometry-driven
clickjacking; the overlay already clips with overflow:hidden). Mark the shim/relay
as the canonical source for the wp/omeka mirrors. Refresh the demo fixture and the
Vitest + Firefox e2e coverage with the new hosts and their reject cases.

…st allowlist

Replace the maintained host allowlist with a structural invariant (DEC-0061): in the
default 'open' mode the relay promotes any iframe whose src is https AND cross-origin to
the LMS, rejecting same-origin, sub/superdomains of the LMS, IP/loopback/local hosts and
userinfo. The host is irrelevant to escape -- a cross-origin sandboxed player is isolated
from the LMS by the same-origin policy -- so the allowlist only mitigated phishing/
tracking, which the sandboxed content can already do. An admin setting 'embedmode'
(open|strict, fail-safe to strict) keeps the allowlist + per-provider reconstruction for
high-security deployments. This supports any provider with no maintenance and supersedes
the earlier "no whitelist is unsafe" conclusion (correct only for Moodle's same-origin
model, not this cross-origin sandboxed one).

Security conditions (verified):
- The video player is now SANDBOXED: allow-scripts allow-same-origin allow-popups
  allow-forms allow-presentation, with NO allow-top-navigation/allow-modals -- so an
  arbitrary embed cannot redirect the tab. allow-same-origin sits on the cross-origin
  player (the provider keeps its own origin, never the LMS's) and is what lets it be
  sandboxed; it is not the forbidden content-iframe case.
- D1: a load-time guard removes a player that lands same-origin to the LMS (a cross-origin
  URL that 30x-redirects to this origin would otherwise be scriptable with allow-same-origin).
- D2: promoted players are tagged data-exe-embed-player and excluded from frameForSource/
  pingAll, so a sandboxed player cannot forge a sync message and impersonate a content source.
- The shim promotes any cross-origin https / .pdf candidate; the relay is the authoritative
  gate. PDFs stay unsandboxed (the browser PDF viewer fails inside a sandbox), unchanged.

Rewrite the Vitest suite (open + strict + IP/subdomain helpers + sandbox + forged-message
defence), update the Firefox e2e (open mode: every cross-origin/PDF iframe promoted, players
sandboxed), update tools/check-embed-sync.mjs invariants, and document it in DEC-0061.

…eanups

Quality-only cleanups (no behaviour change):
- scorm_injector: drop the dead window.__exeEmbedWhitelist global, collapse the
  three <head>-insertion blocks into a table-driven loop, and build the script
  payloads once per file from one $libs prefix instead of six root/.. pairs.
- view.php: extract an inline-module emit helper and only ship the embed
  whitelist in strict mode (open mode ignores it).
- admin styles: extract the duplicated action_link() into a shared
  styles_action_button helper.
- JS: reuse armBlockedTimer in the watchdog; move scorm_tracker's snapshot to the
  async-only XHR path; hoist getBoundingClientRect out of sync()'s per-embed loop.

- Embed relay/shim: normalize a trailing-dot FQDN-root host so the served
  host in 'host.' form can no longer slip past the open-mode cross-origin
  gate and be promoted as a player.
- SCORM bridge relay: reject a forged track when the expected nonce is
  empty, and require a non-null iframe contentWindow (no null===null match).
- exelearning_pluginfile: emit Referrer-Policy: no-referrer and
  X-Content-Type-Options: nosniff on every secure-mode package file so the
  in-URL file token cannot leak via Referer and a .pdf path cannot smuggle
  executable HTML.
- Tests: trailing-dot, nonce-empty and null-contentWindow regression cases;
  content_headers per-file header assertions; check-embed-sync records
  normalizeHost as a relay invariant.

Brings in the research/ cleanup (retire arquitectura/+inventario/, reconcile ADR/task states, refresh sources) and the unreferenced-fixtures removal (~13MB). Clean auto-merge; indices regenerated. DEC-0059..0063 coexist (no ID collision).

Brings in the recorded maintainer decisions (xAPI endpoint design DEC-0063, DEC-0033 scope, etc.). Conflict in status.yaml RIE-001 resolved by keeping this branch's estado: mitigado (the secure-iframe work DEC-0059..0062 actually implements the hardening) over main's estado: aceptado; the TAREA-013 note lives in the merged TODO.md. Indices regenerated.

Resolve view.php conflict between the secure-iframe SCORM bridge (DEC-0059/
DEC-0060/DEC-0062) and the xAPI ingestion layer (DEC-0064), which both
rewrite the SCORM-tracker bootstrap.

Resolution: keep the secure/legacy split (bridge relay + embed relay in secure
mode, inline scorm_tracker in legacy mode) and fold in the xAPI path, but gate
xAPI-primary to legacy mode:

  $emitsxapi = !$securemode && exelearning_xapi_primary_enabled()
             && exelearning_package_emits_xapi(...)

Rationale: js/xapi_listener.js trusts a statement by event.origin === host
origin. In secure mode the package runs in an opaque origin (event.origin is
'null'), so the listener can never receive its statements. There the SCORM
bridge relay (window-identity + nonce) is the working channel, so the SCORM shim
must stay LIVE; setting disableTracking there would record zero grades (the
DEC-0062 failure secure mode exists to fix). disableTracking and the shared
$sessiontoken/xAPI registration therefore only take effect in legacy mode.
Bridging xAPI over the secure relay is left as a follow-up.

…-0065)

The xAPI ingestion layer (DEC-0064) assumed the package iframe is served
same-origin: js/xapi_listener.js trusts a statement by event.origin === host
origin. The secure iframe mode (DEC-0059/0060) serves the package from an
opaque origin where event.origin is the string "null", so that check can never
match and every statement is dropped. The branch merge had gated xAPI off in
secure mode as a stopgap; this enables it properly.

- js/xapi_listener.js: add a window-identity trust mode. When configured with
  iframeid (or expectedSource for tests) the listener trusts a statement by
  event.source === the package iframe's contentWindow (resolved lazily) and
  ignores the opaque "null" origin, exactly like the SCORM bridge relay. Legacy
  same-origin keeps the event.origin check.
- js/scorm_bridge_relay.js: add disableTracking. When set, the relay still
  validates the SCORM message and still runs the ready handshake + watchdog, but
  forwards no track.php POST. The decision lives on the trusted parent (fresh
  each load), not the baked-in shim, so it holds even for packages extracted
  before the flag; the opaque shim cannot reach track.php itself (no sesskey).
- view.php: xAPI-primary now applies in both iframe modes (drop the !secure
  gate). Secure passes disableTracking to the relay and injects the listener
  with iframeid; legacy injects it with allowedOrigin.
- Tests (Vitest 115/115): window-identity accept/reject + precedence, lazy
  resolution; relay disableTracking suppresses the POST while ready still
  handshakes.
- Docs: ADR DEC-0065 (+ adrs/diario indices, diario entry); English
  tracking-architecture.md / xapi-integration-plan.md; QA checklist scenarios
  for secure-mode grading and the kill-switch-mid-session limitation.

Reviewed adversarially (6 lenses, verified): no new double-grading or grade-loss
path; the kill-switch mid-session divergence is a pre-existing DEC-0064 property
(documented), not introduced here.

A multi-agent adversarial review of the branch found no critical/high bugs;
these are the 3 confirmed low-severity items.

- scorm_bridge_shim.js: isSandboxedOpaque() treated ANY web-storage exception as
  "opaque", so in legacy (same-origin) mode a QuotaExceededError or a disabled-
  storage policy would wrongly activate the baked shim — which posts scores to a
  parent that has no relay listener, silently losing the grade. Narrow the
  secondary probe to a genuine SecurityError (the only opaque-origin signal).
- exe_embed_relay.js: a promoted CROSS-ORIGIN PDF was overlaid unsandboxed, so a
  package embedding https://attacker/x.pdf that serves HTML could top-navigate the
  Moodle tab to a phishing page (the exact thing the video player blocks). Sandbox
  cross-origin PDFs without allow-top-navigation/allow-scripts; same-origin package
  PDFs (served application/pdf+nosniff) stay unsandboxed so the viewer renders.
  Fixes the stale makePlayer doc-comment that already claimed the PDF was sandboxed.
- lang/{es,ca,eu,gl}: add the 9 secure-iframe/embed strings (embedmode*, iframemode*,
  securemodeblocked) that existed only in lang/en, restoring 5-language parity for
  the admin settings and the student-facing blocked notice (~ pending-review prefix).

Tests: Vitest 117/117 (new: non-SecurityError storage must not count as opaque;
cross-origin PDF is sandboxed without top-nav; same-origin PDF stays unsandboxed).

…imeo)

Compare the secure YouTube/Vimeo embed approach of mod_exelearning (DEC-0061,
promote-to-parent inline overlay) against three siblings: procomún
(fix/apertura-segura-elpx, click→modal), the eXeLearning editor
(fix/opaque-iframe-external-media, producer-side {provider,videoId}+MessagePort
channel), and the security paper (the SoK that names the model).

All four share the opaque-origin + promote-to-parent + SOP-isolation model;
they differ by layer and trust channel. Verdict (role-dependent) + a concrete
recommendation for the plugin (keep the relay; borrow eXe's id-only channel;
make interactive-video complementary; add Vimeo canonicalization).

Adds AN-015 + REPO-010 (procomún) + REPO-011 (paper) source entries and the
notas/repos indices.

Reconcile teacher-mode handling with main (#86). main retired the host-side
CSS injection in favour of the package's own ?exe-teacher=1 URL parameter, so:

- view.php: keep the secure/legacy iframe-mode resolution and append
  ?exe-teacher=1 to the resolved $iframeurl when teachermodevisible is on. The
  parameter works in secure (opaque-origin) mode too because the package reads
  its own location.search, so no host CSS injection is needed in either mode.
- Drop the exelearning_require_teacher_mode_hider() call (the helper and
  classes/local/ui/teacher_mode_hider.php were removed on main).
- Retire the SCORM bridge's teacher-mode path, now redundant: remove
  teachermodevisible from the relay config ($relaycfg), the relay handshake
  postMessage and the in-iframe shim's hideTeacherMode() (it injected the exact
  #teacher-mode-toggler-wrapper CSS that #86 retired). Update tests/js
  accordingly. SCORM tracking over the bridge is unaffected.