How do I manage the Content Security Policy for an account?

Document created by Canvas Doc Team Employee on Apr 20, 2019Last modified by Canvas Doc Team Employee on Nov 22, 2019
Version 13Show Document
  • View in full screen mode

You can enable and manage the Content Security Policy from the Security tab in your Account Settings. The Content Security Policy allows you to restrict custom JavaScript that runs in your instance of Canvas. You can manually add up to 50 domains to your whitelist. Using wild cards is recommended (e.g. *.instructure.com). Canvas and Instructure domains are included in the whitelist automatically and do not count against your 50 domain limit. Additionally, any LTI tools added in your account are automatically added to the whitelist and do not count against your 50 domain limit.

When enabled in an account or sub-account, the Content Security Policy is automatically enabled for all courses within the account or sub-account. Administrators can manually disable the policy for individual courses.

Sub-accounts have three options for managing the Content Security Policy. Sub-accounts can choose to disable the Content Security Policy, which disables the policy for the sub-account, enable the Content Security Policy at the sub-account level, which only includes domains which have been whitelisted for the sub-account, or inherit the Content Security Policy from the parent account level. Inheriting the policy will inherit any whitelisted domains from the parent account level. Sub-accounts are set to inherit by default.

Open Account

Open Account

In Global Navigation, click the Admin link [1], then click the name of the account [2].

Open Settings

Open Settings

In Account Navigation, click the Settings link.

Open Security Tab

  Open Security Tab

Click the Security tab.

Enable Content Security Policy

  Enable Content Security Policy

To enable the Content Security Policy for an account, click the Enable Content Security Policy toggle.

Add Domain to Whitelist

  Add Domain to Whitelist

To add a domain to your whitelist, type the domain name in the Domain Name field [1].

Click the Add Domain button [2].

Note: Wild card domains (e.g., *.instructure.com) are recommended. Wild cards include all subdomains tied to the domain name (e.g., example.instructure.com).

View Whitelist

  View Whitelist

You can view all whitelisted domains in the whitelist [1] as well as the number of domains added to the whitelist [2].

Remove Whitelisted Domain

  Remove Whitelisted Domain

To remove a domain from the whitelist, click the Delete icon.

View Whitelisted Tool Domains

  View Whitelisted Tool Domains

You can view domain names that have automatically been added to your whitelist in the Whitelisted Tool Domains list.

All Canvas and Instructure domain names are automatically added to the whitelist and do not count against the 50 domain limit. Additionally, LTI tools in your account are also automatically added to the whitelist and do not count against the 50 domain limit.

Notes:

Manage Sub-Account Content Security Policy

  Manage Sub-Account Content Security Policy

Sub-accounts can manage their own Content Security Policy or choose to inherit the policy from a parent account.

By default, sub-accounts are set to inherit the Content Security Policy from the parent account.

Note: When policy settings are inherited from a parent account, whitelist editing is disabled at the sub-account level.

Enable Content Security Policy

  Enable Content Security Policy

To manage the Content Security Policy from the sub-account level, disable the Inherit Content Security Policy toggle [1] and enable the Enable Content Security Policy toggle [2].

Disable Content Security Policy

  Disable Content Security Policy

To disable the Content Security Policy for the sub-account, disable the Enable Content Security Policy toggle.

Manage Individual Course Settings

Manage Individual Course Settings

The Content Security Policy automatically applies to all courses in the account or sub-account where the policy is enabled.

To disable the Content Security Policy for the course, navigate to the course Settings page and click the more options link [1].

Click the Disable Content Security Policy checkbox to disable the policy for the course [2].

To save your changes, click the Update Course Details button [3].

You are here
Table of Contents > Settings > How do I manage the Content Security Policy for an account?

Attachments

    Outcomes