This behavior has been resolved and deployed to the production environment as of 6/19/24.
Description
-
When the Canvas Content Security Policy has been enabled, docviewer files do not preview when added to a Classic Quiz file upload question.
-
If 'https://cdn.inst-fs-iad-prod.inscloudgate.net' is added as a domain in the CSP, previews function again, but shouldn't be necessary, since "Canvas and Instructure domains are included in the whitelist automatically" (per https://community.canvaslms.com/docs/DOC-16592-42141077101)
Expected Behavior
-
Instead it should be able to preview files that are hosted on Canvas sites per our guide here:
-
https://cdn.inst-fs-iad-prod.inscloudgate.net should by default be added to the CSP
Workaround
No workaround exists at this time.
Steps to Reproduce
Prerequisites: A Canvas instance with the Canvas Content Security Policy enabled
-
In a Canvas course, create a Classic Quiz with a file upload option.
-
As a student, take the quiz and upload a file to the question.
-
Go to the submission in Speed Grader and click the file name to try downloading it, notice the error that it's not supported by the policy in place.
-
In the account, turn off the Content Security Policy and notice that you can click the submission and it downloads without error.
Additional Info
FOO-4468
Known issues indicate notable behaviors that have been escalated to the Canvas engineering team. Known issues are not a guarantee for an immediate resolution. This document is for informational purposes only and does not replace the Support process. If you are encountering the behavior outlined in this document, please ensure you have submitted a Support case (per your institution's escalation process) so Canvas Support can adequately gauge the overall customer impact and prioritize appropriately.
