How do I manage the Content Security Policy for an account?

You can enable and manage the Content Security Policy from the Security tab in your Account Settings. The Content Security Policy allows you to restrict custom JavaScript that runs in your instance of Canvas. You can manually add up to 50 domains to your allowed domains. Using wild cards is recommended (e.g. *.instructure.com). Canvas and Instructure domains are included in allowed domains automatically and do not count against your 50 domain limit. Additionally, any LTI tools added in your account are automatically added to allowed domains and do not count against your 50 domain limit.

When enabled in an account or sub-account, the Content Security Policy is automatically enabled for all courses within the account or sub-account. Administrators can manually disable the policy for individual courses.

Sub-accounts have three options for managing the Content Security Policy. Sub-accounts can choose to disable the Content Security Policy, which disables the policy for the sub-account, enable the Content Security Policy at the sub-account level, which only includes domains which have been allowed for the sub-account, or inherit the Content Security Policy from the parent account level. Inheriting the policy will inherit any allowed domains from the parent account level. Sub-accounts are set to inherit by default.

Note: The Security tab only displays in Account Settings if you have enabled the Content Security Policy feature option.

Open Account

Open Account

In Global Navigation, click the Admin link [1], then click the name of the account [2].

Open Settings

Open Settings

In Account Navigation, click the Settings link.

Open Security Tab

Open Security Tab

Click the Security tab.

Note: The Security tab only displays in Account Settings if you have enabled the Content Security Policy feature option.

Enable Content Security Policy

Enable Content Security Policy

To enable the Content Security Policy for an account, click the Enable Content Security Policy toggle.

Add Domain to Allowed Domains

Add Domain to Allowed Domains

To add a domain to your allowed domains, type the domain name in the Domain Name field [1].

Click the Add Domain button [2].

Note: Wild card domains (e.g., *.instructure.com) are recommended. Wild cards include all subdomains tied to the domain name (e.g., example.instructure.com).

View Allowed Domains

View Allowed Domains

You can view all allowed domains in the Allowed Domains list [1] as well as the number of allowed domains contained in the list [2].

Remove Allowed Domain

Remove Allowed Domain

To remove a domain from the Allowed Domains list, click the Delete icon.

View Associated Tool Domains

View Associated Tool Domains

You can view domain names that have automatically been added to your allowed domains in the Associated Tool Domains list.

All Canvas and Instructure domain names are automatically added to allowed domains and do not count against the 50 domain limit. Additionally, LTI tools in your account are also automatically added to allowed domains and do not count against the 50 domain limit.

Notes:

Manage Sub-Account Content Security Policy

Manage Sub-Account Content Security Policy

Sub-accounts can manage their own Content Security Policy or choose to inherit the policy from a parent account.

By default, sub-accounts are set to inherit the Content Security Policy from the parent account.

Note: When policy settings are inherited from a parent account, domain editing is disabled at the sub-account level.

Enable Content Security Policy

Enable Content Security Policy

To manage the Content Security Policy from the sub-account level, disable the Inherit Content Security Policy toggle [1] and enable the Enable Content Security Policy toggle [2].

Disable Content Security Policy

Disable Content Security Policy

To disable the Content Security Policy for the sub-account, disable the Enable Content Security Policy toggle.

Manage Individual Course Settings

Manage Individual Course Settings

The Content Security Policy automatically applies to all courses in the account or sub-account where the policy is enabled.

To disable the Content Security Policy for the course, navigate to the course Settings page and click the Disable Content Security Policy checkbox [1].

To save your changes, click the Update Course Details button [2].