This behavior has been resolved and deployed to the production environment as of 5/3/22.
| Description |
|---|
-
Public eportfolio can be viewed on any Canvas domain/under any instance's branding as long as the the sharded eportfolio ID is used.
-
This allows bad actors to pass off malicious content as being from specific Canvas customer accounts, which makes brand sensitive admins concerned.
| Expected Behavior |
|---|
Don’t allow eportfolios to be viewed from unrelated accounts (redirect if accounts are in a trust/consortium)
| Workaround |
|---|
Disable eportfolios across all instances or monitor all user activity.
| Steps to Reproduce |
|---|
- Create an eportfolio in any account
- Obtain the portion of the URL to the eportfolio with the shard id (e.g. eportfolios/9758~3916)
- Add that portion of the URL to any Canvas instance domain and see the eportfolio appears to originate from that instance.
| Additional Info |
|---|
FOO-2877
Known issues indicate notable behaviors that has been escalated to the Canvas engineering team. Known issues are not a guarantee for an immediate resolution. This document is for informational purposes only and does not replace the Support process. If you are encountering the behavior outlined in this document, please ensure you have submitted a Support case (per your institution's escalation process) so Canvas Support can adequately gauge the overall customer impact and prioritize appropriately.
- Reference
- Community Guidelines
- Security
- Developers
- Open Source
