How do I manage the Content Security Policy for an account?
You can enable and manage the Content Security Policy from the Security tab in your Account Settings. The Content Security Policy allows you to restrict custom JavaScript that runs in your instance of Canvas. You can manually add up to 50 domains to your allowed domains. Using wild cards is recommended (e.g. *.instructure.com). Canvas and Instructure domains are included in allowed domains automatically and do not count against your 50 domain limit. Additionally, any LTI tools added in your account are automatically added to allowed domains and do not count against your 50 domain limit.
When enabled in an account or sub-account, the Content Security Policy is automatically enabled for all courses within the account or sub-account. Administrators can manually disable the policy for individual courses.
Sub-accounts have three options for managing the Content Security Policy. Sub-accounts can choose to disable the Content Security Policy, which disables the policy for the sub-account, enable the Content Security Policy at the sub-account level, which only includes domains which have been allowed for the sub-account, or inherit the Content Security Policy from the parent account level. Inheriting the policy will inherit any allowed domains from the parent account level. Sub-accounts are set to inherit by default.
Note: The Security tab only displays in Account Settings if you have enabled the Content Security Policy feature option.
Open Account
In Global Navigation, click the Admin link [1], then click the name of the account [2].
Open Settings
In Account Navigation, click the Settings link.
Open Security Tab
Click the Security tab.
Note: The Security tab only displays in Account Settings if you have enabled the Content Security Policy feature option.
Enable Content Security Policy
To enable the Content Security Policy for an account, click the Enable Content Security Policy toggle.
Add Domain to Allowed Domains
To add a domain to your allowed domains, type the domain name in the Domain Name field [1].
Click the Add Domain button [2].
Note: Wild card domains (e.g., *.instructure.com) are recommended. Wild cards include all subdomains tied to the domain name (e.g., example.instructure.com).
View Allowed Domains
You can view all allowed domains in the Allowed Domains list [1] as well as the number of allowed domains contained in the list [2].
View Associated Tool Domains
You can view domain names that have automatically been added to your allowed domains in the Associated Tool Domains list.
All Canvas and Instructure domain names are automatically added to allowed domains and do not count against the 50 domain limit. Additionally, LTI tools in your account are also automatically added to allowed domains and do not count against the 50 domain limit.
Notes:
- To remove a domain for an LTI tool, the LTI tool must be removed from the account or sub-account.
- Associated tools are only listed once in the list of associated tool domains, even if they have been installed in multiple sub-accounts.
Manage Sub-Account Content Security Policy
Sub-accounts can manage their own Content Security Policy or choose to inherit the policy from a parent account.
By default, sub-accounts are set to inherit the Content Security Policy from the parent account.
Note: When policy settings are inherited from a parent account, domain editing is disabled at the sub-account level.
Enable Content Security Policy
To manage the Content Security Policy from the sub-account level, disable the Inherit Content Security Policy toggle [1] and enable the Enable Content Security Policy toggle [2].
Manage Individual Course Settings
The Content Security Policy automatically applies to all courses in the account or sub-account where the policy is enabled.
To disable the Content Security Policy for the course, navigate to the course Settings page and click the Disable Content Security Policy checkbox [1].
To save your changes, click the Update Course Details button [2].