Description

When Default Source Content Security Policy Logging is enabled for an account, media uploaded to course files does not play and gives a Content on this page violates the security policy, contact your admin for assistance. error message.

Expected Behavior

According to our documentation here: Canvas Content Security Policy , all Canvas and Instructure domains are added to the allow list automatically, meaning Canvas hosted media should play without any CSP errors.

Workaround

No workaround exists at this time.

Steps to Reproduce

Prerequisite:

• An instance with the feature flags Content Security Policy and Default Source Content Security Policy Logging enabled

• On the account settings' security tab, Enable Content Security Policy must also be enabled

• A course with an uploaded .mp4 file within the files section

1. Access the course and navigate to the files section.

2. Wait for the video to get processed, no changes are needed to the uploaded file.

3. Attempt viewing the video after it is done processing. It will result in a “Content on this page violates the security policy, contact your admin for assistance.” error message.

   1. In the browser console there is an error like the following:
      Refused to load media from 'https://<region>.cdn.nv.instructuremedia.com/originals/...' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'media-src' was not explicitly set, so 'default-src' is used as a fallback.

Additional Info

FOO-4963