Engineers are currently investigating the issue.
Description
When the Content Security Policy (CSP) is enabled on an instance, some LTI’s are being blocked and will not load. (Youtube, SCORM, Vimeo from what I’ve found)
Expected Behavior
Instead it should add the correct domain to the allowed domains automatically to allow these Instructure created LTI’s to load when the CSP is enabled
Workaround
Add in the domain manually for the LTI on the Security tab in account settings. (youtube-nocookie domain for the youtube LTI for example)
Steps to Reproduce
-
Enable the Content Security Policy feature option
-
Go to the Security tab and enable the Content Security Policy
-
Either create or go into an existing course and add a page with a youtube video embedded via the youtube LTI
-
Save the page and see the embedded content doesn't load and the error “content on this page violates the security policy, contact your admin for assistance” appears
Additional Info
INTEROP-9041
Known issues indicate notable behaviors that have been escalated to the Canvas engineering team. Known issues are not a guarantee for an immediate resolution. This document is for informational purposes only and does not replace the Support process. If you are encountering the behavior outlined in this document, please ensure you have submitted a Support case (per your institution's escalation process) so Canvas Support can adequately gauge the overall customer impact and prioritize appropriately.
