Securing proctoring of tests

To prevent an exam test from being taken without Constructor Proctor, a special script is employed. The script operates as follows::

1. The Constructor web application (WebApp) sends a signal to the exam page, which runs inside an iframe.
2. Upon receiving the signal, the script inside the exam page confirms that the exam is currently being proctored.
3. Optionally, the exam page script can verify that this page in LMS corresponds to the exam specified in the Constructor proctoring session object.

Example

Open this link to an exam page. This is a link to a page, which behaves differently with proctoring and without it. To observe the difference, just open the page applying two different methods:

• Click on the link. That is, open the page as a top-level page.
• Create a proctoring session with this page set as exam URL, and start it with Constructor web application.

Note the following security-related points:

• The exam page assures the origin of the message sender and trusts the sender.
• The Constructor Proctor web application does not authenticate the page inside the iframe. Therefore, any code running in an iframe on a page with a web app can determine if proctoring is active. While it may not be a security issue, we should be aware of this behavior.

Constructor Proctor WebApp operation

When opening an exam WebApp acts as follows:

1. Appends to the exam address ?examus-client-origin=.
2. Waits for the page inside the iframe to load

(readyState === 4)

3. Sends a message to the page inside iframe proctoringReady_n6EY.

Script inside iframe operation

The script inside iframe acts as follows when loaded on a page of a test that should be proctored:

1. Closes the screen like a spinner.
2. Reads searchParam examus-client-origin.
3. Uses window.addEventListener('message', e => {}).
4. When receiving a message:
   1. Implements if (e.origin !== expectedOrigin) return.
   2. Receives the data from the message if the proctoring is active.
   3. Checks assessCode: // 4.3 and 4.4. It is the check that a test taker takes the exact test specified in the Examus proctoring session. (This is how the procedure is implemented in Moodle.)
      • If assessCode is not saved in the session, it is saved we save this one
      • If assessCode is saved in the session, the following is checked:
        • If URL coincides, then assessCodeIsValid = false.
        • If URL doesn’t coincide, then assessCodeIsValid = true.
5. Checks the (**proctoringIsActive && assessCodeIsValid**) condition:
   • If it is true, the script removes the spinner type, and allows the test taker to take the exam test.
   • If it is false, the script shows the instructions on how to take the exam correctly.