Ok, I might be a little out of date with my web development knowledge, but my first question would not be about the origin but about the embedding itself. The user's input is rendered in the web frontend of blackboard? Why?
And second, how did they actually exploit it? Presumably the authentication works by some kind of token, right? Is the client js generally allowed to perform http requests outside of the origin domain? If not how did they hijack the authentication?
The student's input is rendered for teachers to make it easier to grade submissions without opening them in an external tool.
As someone who used blackboard in college I can tell you it's a mess. Neither teachers nor students like it. It integrates with a ton of 3rd party libraries to be "helpful" by embedding content like this but ends up with a ton of different, inconsistent and often broken experiences.
> my first question would not be about the origin but about the embedding itself. The user's input is rendered in the web frontend of blackboard? Why?
I think Blackboard sees this as a convenience feature, i.e. students submit assignments as, say, PDF documents and they can be viewed directly within Blackboard without the extra steps of downloading. Just silly that it works with anything that can interact with web API, but maybe that was requested specifically?
> Is the client js generally allowed to perform http requests outside of the origin domain?
EDIT: By default, yes, but I'm not sure what restrictions can be applied. (I'm misremembering how CORS even works so I took out my previous paragraph.)
In any case, Blackboard probably provided other tools they could use within the domain as well. For example they could probably trigger some sort of user-to-user private messaging and send the token in the body.
And second, how did they actually exploit it? Presumably the authentication works by some kind of token, right? Is the client js generally allowed to perform http requests outside of the origin domain? If not how did they hijack the authentication?