Cornerstone on Demand HTTP -> HTTPS
Apr 03, 2020
Hi everyone,
TLDR: How do you publish a course to be compliant with https? (I know, I never thought I'd ask this)
Got a question for the more LMS (and server) minded people in the group. A client sent me a request to quote on updating courses from HTTP to https. My first response was that's not a course issue, it's a server/LMS issue and that they should contact their LMS provider - Cornerstone on Demand (CSOD). Her reply: the request came from CSOD. My reply: huh? Really?
Has anyone come across this before? It goes against everything I thought I understand about how HTTPS works. I think the courses that were listed as non-compliant were published in the original player with HTML5 and Flash fallback (or vice versa). Would this be as simple as republishing in straight HTML5? I can't imagine it would be, but...
Thought I'd ask to see if anyone has encountered this before I send over files to find out there's something else.
Here's the message from CSOD:
You're receiving this message as our records show that you currently have courses using HTTP and you may be impacted by a planned change.
Cornerstone makes frequent updates to maintain and surpass the current technology and security standards. As part of these regular updates, we plan to enable HTTP Strict Transport Security (HSTS) on June 1, 2020.
As part of the HSTS enablement, our sites will no longer accept clear text HTTP, HTTPS is the safer version of the HTTP protocol, which enables web users to connect to websites. Secure connections are an important step in protecting users from a type of cyber attack called content injection, or content spoofing. For more details, please refer to https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Cornerstone allows clients to upload learning content to our system. As part of that process, you choose a Provider/Vendor for that course. Each of the providers/vendors that have been set up in your portal can be set to accept HTTP or HTTPS traffic. We have identified that you have some of these set to HTTP.
Further clarification was:
Your course providers or vendors should be able to help you with that. We aren't course package modifiers, and each vendor may have a different process. If you contact them and let them know that we're updating to HSTS, they should know how to adjust the courses for you.
If your organization has created courses, you will need to either consult the course creators or seek outside help.
7 Replies
A course shouldn't need republishing for https, it may be some of the links or web objects in your source are http so will need changing to https
Ah, that makes total sense! I’ll check to see what links they have.
very helpful as always Phil.
btw, I teach some design and elearning courses. When I talk up storyline, I mention the community and say that *someone* always responds to a post and there’s a high probability that it will be Phil Mayor. Thanks for proving me right. :)
Thanks Steve :-)
I'm thinking if it's right that CSOD could have been helpful mentioning it. But it also won't be the first time CSOD wasn't helpful.
It would have been nice if they had mentioned what needed changing and highlighting the courses involved.
Yeah it would have been super helpful if they gave some direction. The way they put it would indicate that every developer should know how to do it. Yet everyone I talk to has a similar, "That's a server thing not a course thing."
And the courses that have been flagged as non-compliant have no links or WebObjects. One had a swf file, the other no video files at all. And CSOD won't respond to my inquiries - though I'm giving every company a bit of a break these days.
This discussion is closed. You can start a new discussion or contact Articulate Support.