From ca82f143b046a016ac4df060341effc9afda0873 Mon Sep 17 00:00:00 2001
From: Dmitry Viskov <dmitry.viskov@webenterprise.ru>
Date: Fri, 19 Feb 2016 23:59:30 +0300
Subject: [PATCH] When using in-frame LTI navigation in IE 10 & 11, problems
 are not rendering properly. The problems render properly in IE 10 & 11 when
 using edX directly, or when opening LTI in a new tab. This is reproducible in
 Canvas and D2L

---
 cms/envs/common.py                   |  3 +++
 common/djangoapps/util/views.py      | 19 +++++++++++++++++++
 lms/djangoapps/lti_provider/views.py |  2 ++
 lms/envs/common.py                   |  3 +++
 4 files changed, 27 insertions(+)

diff --git a/cms/envs/common.py b/cms/envs/common.py
index bb99b01a98..7e2e1b627b 100644
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -358,6 +358,9 @@ MIDDLEWARE_CLASSES = (
 # Clickjacking protection can be enabled by setting this to 'DENY'
 X_FRAME_OPTIONS = 'ALLOW'
 
+# Platform for Privacy Preferences header
+P3P_HEADER = 'CP="Open EdX does not have a P3P policy."'
+
 ############# XBlock Configuration ##########
 
 # Import after sys.path fixup
diff --git a/common/djangoapps/util/views.py b/common/djangoapps/util/views.py
index 9357fbeef3..4129c67e11 100644
--- a/common/djangoapps/util/views.py
+++ b/common/djangoapps/util/views.py
@@ -374,3 +374,22 @@ def accepts(request, media_type):
     """Return whether this request has an Accept header that matches type"""
     accept = parse_accept_header(request.META.get("HTTP_ACCEPT", ""))
     return media_type in [t for (t, p, q) in accept]
+
+
+def add_p3p_header(view_func):
+    """
+    This decorator should only be used with views which may be displayed through the iframe.
+    It adds additional headers to response and therefore gives IE browsers an ability to save cookies inside the iframe
+    Details:
+    http://blogs.msdn.com/b/ieinternals/archive/2013/09/17/simple-introduction-to-p3p-cookie-blocking-frame.aspx
+    http://stackoverflow.com/questions/8048306/what-is-the-most-broad-p3p-header-that-will-work-with-ie
+    """
+    @wraps(view_func)
+    def inner(request, *args, **kwargs):
+        """
+        Helper function
+        """
+        response = view_func(request, *args, **kwargs)
+        response['P3P'] = settings.P3P_HEADER
+        return response
+    return inner
diff --git a/lms/djangoapps/lti_provider/views.py b/lms/djangoapps/lti_provider/views.py
index 6325771e23..6f2e93233b 100644
--- a/lms/djangoapps/lti_provider/views.py
+++ b/lms/djangoapps/lti_provider/views.py
@@ -14,6 +14,7 @@ from lti_provider.users import authenticate_lti_user
 from lms_xblock.runtime import unquote_slashes
 from opaque_keys.edx.keys import CourseKey, UsageKey
 from opaque_keys import InvalidKeyError
+from util.views import add_p3p_header
 
 log = logging.getLogger("edx.lti_provider")
 
@@ -32,6 +33,7 @@ OPTIONAL_PARAMETERS = [
 
 
 @csrf_exempt
+@add_p3p_header
 def lti_launch(request, course_id, usage_id):
     """
     Endpoint for all requests to embed edX content via the LTI protocol. This
diff --git a/lms/envs/common.py b/lms/envs/common.py
index 0a6f3d6ab5..fd04bcd92a 100644
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -1151,6 +1151,9 @@ MIDDLEWARE_CLASSES = (
 # Clickjacking protection can be enabled by setting this to 'DENY'
 X_FRAME_OPTIONS = 'ALLOW'
 
+# Platform for Privacy Preferences header
+P3P_HEADER = 'CP="Open EdX does not have a P3P policy."'
+
 ############################### PIPELINE #######################################
 
 PIPELINE_ENABLED = True