How do I manage the Content Security Policy for an account?
When enabled in an account or sub-account, the Content Security Policy is automatically enabled for all courses within the account or sub-account. Administrators can manually disable the policy for individual courses.
Sub-accounts have three options for managing the Content Security Policy. Sub-accounts can choose to disable the Content Security Policy, which disables the policy for the sub-account, enable the Content Security Policy at the sub-account level, which only includes domains which have been allowed for the sub-account, or inherit the Content Security Policy from the parent account level. Inheriting the policy will inherit any allowed domains from the parent account level. Sub-accounts are set to inherit by default.
In Global Navigation, click the Admin link , then click the name of the account .
In Account Navigation, click the Settings link.
Open Security Tab
Click the Security tab.
Enable Content Security Policy
To enable the Content Security Policy for an account, click the Enable Content Security Policy toggle.
Add Domain to Allowed Domains
To add a domain to your allowed domains, type the domain name in the Domain Name field .
Click the Add Domain button .
Note: Wild card domains (e.g., *.instructure.com) are recommended. Wild cards include all subdomains tied to the domain name (e.g., example.instructure.com).
View Allowed Domains
You can view all allowed domains in the Allowed Domains list  as well as the number of allowed domains contained in the list .
Remove Allowed Domain
To remove a domain from the Allowed Domains list, click the Delete icon.
View Associated Tool Domains
You can view domain names that have automatically been added to your allowed domains in the Associated Tool Domains list.
All Canvas and Instructure domain names are automatically added to allowed domains and do not count against the 50 domain limit. Additionally, LTI tools in your account are also automatically added to allowed domains and do not count against the 50 domain limit.
- To remove a domain for an LTI tool, the LTI tool must be removed from the account or sub-account.
- Associated tools are only listed once in the list of associated tool domains, even if they have been installed in multiple sub-accounts.
Manage Sub-Account Content Security Policy
Sub-accounts can manage their own Content Security Policy or choose to inherit the policy from a parent account.
By default, sub-accounts are set to inherit the Content Security Policy from the parent account.
Note: When policy settings are inherited from a parent account, domain editing is disabled at the sub-account level.
Enable Content Security Policy
To manage the Content Security Policy from the sub-account level, disable the Inherit Content Security Policy toggle  and enable the Enable Content Security Policy toggle .
Disable Content Security Policy
To disable the Content Security Policy for the sub-account, disable the Enable Content Security Policy toggle.
Manage Individual Course Settings
The Content Security Policy automatically applies to all courses in the account or sub-account where the policy is enabled.
To disable the Content Security Policy for the course, navigate to the course Settings page and click the more options link .
Click the Disable Content Security Policy checkbox to disable the policy for the course .
To save your changes, click the Update Course Details button .