Plugin security and communication with hub

I've installed hp5 and have been testing with libraries on our WordPress development site. I've also read your security information.

My questions are about security and the potential for code changes within the libraries which might get installed on a WordPress site. I'm not sure about the degree to which the open source nature of your system could impact a WordPress site. 

Once H5P is installed, are there any dependencies it still refers to on the H5P server, or is each install independent of H5P once installed? Then I have the same question for the libraries that are installed locally via the "add content" process.  It's my understanding that the libraries may be edited by members and while you have some good security in place, I'm wondering about the potential for someone to sneak in some mischievous code into a library that would get passed along to our and other sites. Can you clarify the nature of the relationship between the H5P and the libraries (or are they plugins, btw?) installs on WordPress and the mothership H5P.

Thanks, in advance for your reply.

Vernon

Summary: 
Need to understand security and how h5p may or may not interact with websites.
thomasmars's picture

Hi,
All libraries that you get from H5P.org are checked for security issues through peer reviews and rigorous testing by the H5P Core Team. Any outside libraries that you install directly you need to check yourself or trust the issuer of the H5P content and libraries.

The H5P plugin does not depend on any external resources, but can use the H5P API to get the latest up-to-date H5P libraries from H5P.org if you wish, we recommend using this to keep your libraries up to date. H5P libraries themselves are mainly JavaScript, so they can be coded to talk to outside resources or APIs, but this is generally not the case (I don't know any libraries that does this) with official H5P libraries.

An official H5P library is not distributed/made available through the content type hub before it has been rigorously tested, and is only released by a release manager in the H5P Core Team, which is the same people who develops the plugin running on your server side.

The high level overview is that the H5P plugin runs on your wordpress site, it communicates with H5P.org to get the latest H5P content types. Approved content types are made available through the editor on your site (if you choose to enable this), these are fetched from H5P.org.
You can read more about our security model at: https://h5p.org/documentation/installation/security

Hope this helps alleviate some of your worries, let me know any of this was unclear or you have more questions.

Best regards, Thomas