Skip navigation
All Places > Ideas > Blog > 2019 > January

Last October we outlined a new security project for Canvas that gives institutions more control over the javascript that is allowed to run in their instance of Canvas through an updated Content Security Policy (CSP). We've been working hard to make this plan a reality and I'd like to post an update on our progress.


This project is comprised of three phases. The first phase changed the way we were serving up files in Canvas. The goal of this phase was twofold:

  • Make it clear that the files are not owned by Instructure, but rather by other Canvas users.
  • Limit how broadly user-granted permission was being applied. For example, if a user grants a file permission to access their webcam, permission will only be given for files in that course, and not for all files in that institution's instance of Canvas.

This first phase was deployed at the end of the year (view release notes here).


The second phase brings an updated CSP option to Canvas. The updated CSP will be opt in from a new Security Tab found on the account settings page. Institutions that don't opt in will have no changes made to their account. If an institution does choose to enable the updated CSP they will be able to restrict custom JavaScript (JS) that runs in their instance of Canvas based on domain.

  • This will be managed by a whitelist of acceptable domains. All JS that attempts to execute in violation of the whitelist will be blocked.
  • The whitelist has a limit of 50 domains. We recommend using wildcard domains (*.domain).
  • We will automatically add all necessary Instructure and Canvas domains, as well as any LTI tools that are configured on the account. These do not count toward the 50 domain limit.
  • Root account admins determine if sub accounts can manage their own whitelists. If so, sub accounts will have the option of either inheriting the whitelist from the parent account or managing their own whitelist.
  • Individual courses can be opted out of the CSP (for example, a computer science class that requires the ability to render student-submitted JS). Only account admins can opt a course out of the CSP.

This phase is currently in development. Our plan is to have this phase completed in the next couple of months.


The third phase adds a log to the UI which shows any requested domains that are in violation of the whitelist. This will allow admins to monitor activity and easily add new domains to the whitelist.

This phase is currently in the design stage and will begin development after phase 2 is released.


We're excited about the increased control this gives to institutions in managing the security for their instance of Canvas. As always, we'd love to hear from you. Let us know what you think in the comments!

We’ve had a few questions about the removal of the rating system in Commons, and we wanted to provide you all with some insight into our thought process.

  1. The rating system didn’t see wide adoption. Only 6.8% of resources in Commons had a star rating. Of those resources with a rating, 88% of them received 5 stars. We weren’t the only ones who noticed that the ratings weren't being used in a way that truly provided value. Here is an actual review of a resource in Commons:
    (rating: 5) "I'm going to give a five star rating to anything I find that is offtopic because nobody else is going to use the rating system in commons and that lets me game the system to ruin everything."
  2. Rating content in Commons is a lot of work and quite outside a normal workflow for most educators. It seems, for the most part, folks weren’t taking the time to import content into Canvas, evaluate its quality, and then return to Commons to rate the quality of the content. And this behavior is pretty understandable! That’s a lot of steps to take as a busy educator, when there is not direct benefit to your own process.
  3. We wanted a shorter route to surface valuable Commons content for you in Canvas. Commons contains some awesome resources to include in your Canvas course. Currently, that process requires that you launch Commons, locate the content, and then send the content to the Canvas course you were building.


So if ratings aren’t proving to be super useful for identifying valuable content, we asked ourselves: What could we do to help identify valuable content in Commons without requiring our users to do extra work? Taking that problem a step further… how can we help identify that valuable content and surface it in Canvas?


From Canvas, very soon you will see an option to pull up your list of Commons Favorites and directly import content that you’ve identified as valuable. First, we’ll give you that option in the Rich Content Editor (RCE). From the RCE, you’ll be able to choose any video, audio, images, or files that are in your list of Commons favorites and directly import them. Next, we’ll give you the option to add content from your list of Commons favorites on the Index and Modules pages. We’ll also be adding feedback about how often things are favorited and imported to each resource. “Most Favorited” and “Most Downloaded/Imported” will be added to the “Most Relevant” sort options in search results.

Because adding resources to your Commons favorites will allow you to keep track of your favorite Commons content and makes it easier to import content into your Canvas course easily and efficiently, we expect favoriting to see greater adoption than the rating system did. We also feel that number of downloads/imports and favoriting numbers provide a better indication of effective content than a subjective and poorly adopted rating system did.