Hi,
We've identified a potential security and privacy issue with SCORM packages uploaded via the SCORM LTI tool in Canvas. When a SCORM package is embedded or added as an assignment, the content is hosted on a public domain (e.g. https://dub.scorm.canvaslms.com) and can be accessed without authentication if someone has the direct link.

This is easy to replicate — for example, a student can right-click on a menu item or embedded SCORM player, copy the link address, and share it. The content then loads outside of Canvas, with no login or tracking required.

We came across the setting ApiUseSignedLaunchLinks=true  However, we’re unsure what modifications are required in the SCORM package itself to support this.

Could someone clarify:

• What steps are needed to make a SCORM package compatible with signed launch links in Canvas?

• Is this feature officially supported, and is there any technical documentation available?

• Is the SCORM player hosted by Rustici, and if so, does it support or require specific setup for this feature?

We’re looking for a more secure workflow to protect SCORM-based content and assessment materials. Any guidance would be greatly appreciated.

Thanks!