Changing frame ancestor policy for Canvas LTI

Diehardwalnut
Community Member

I am currently building a Canvas LTI that makes requests to a REST api we have on our server. To prevent un-authenticated access to the API endpoints we have on our servers we are using shibboleth to establish sessions. We are quite certain that we have shibboleth sp configured correctly on our server and can use the app outside canvas. The problem is when we try to load the app in canvas we see this error.

Refused to frame 'https://shibidp...' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

where shibdip is the url redirect shibboleth uses to authenticate. It appears the IFrame canvas wraps our app in doesn't like this. We tried following the directions from this canvas guide however, we don't see a security tab. Any guidance would be appreciated!

 

Labels (1)
0 Likes