How do I manage the Content Security Policy for an account?
When enabled in an account or sub-account, the Content Security Policy is automatically enabled for all courses within the account or sub-account. Administrators can manually disable the policy for individual courses.
Sub-accounts have three options for managing the Content Security Policy. Sub-accounts can choose to disable the Content Security Policy, which disables the policy for the sub-account, enable the Content Security Policy at the sub-account level, which only includes domains which have been whitelisted for the sub-account, or inherit the Content Security Policy from the parent account level. Inheriting the policy will inherit any whitelisted domains from the parent account level. Sub-accounts are set to inherit by default.
In Global Navigation, click the Admin link , then click the name of the account .
In Account Navigation, click the Settings link.
Open Security Tab
Click the Security tab.
Enable Content Security Policy
To enable the Content Security Policy for an account, click the Enable Content Security Policy toggle.
Add Domain to Whitelist
To add a domain to your whitelist, type the domain name in the Domain Name field .
Click the Add Domain button .
Note: Wild card domains (e.g., *.instructure.com) are recommended. Wild cards include all subdomains tied to the domain name (e.g., example.instructure.com).
You can view all whitelisted domains in the whitelist  as well as the number of domains added to the whitelist .
Remove Whitelisted Domain
To remove a domain from the whitelist, click the Delete icon.
View Whitelisted Tool Domains
You can view domain names that have automatically been added to your whitelist in the Whitelisted Tool Domains list.
All Canvas and Instructure domain names are automatically added to the whitelist and do not count against the 50 domain limit. Additionally, LTI tools in your account are also automatically added to the whitelist and do not count against the 50 domain limit.
- To remove a domain for an LTI tool, the LTI tool must be removed from the account or sub-account.
- Associated tools are only listed once in the list of whitelisted tool domains, even if they have been installed in multiple sub-accounts.
Manage Sub-Account Content Security Policy
Sub-accounts can manage their own Content Security Policy or choose to inherit the policy from a parent account.
By default, sub-accounts are set to inherit the Content Security Policy from the parent account.
Note: When policy settings are inherited from a parent account, whitelist editing is disabled at the sub-account level.
Enable Content Security Policy
To manage the Content Security Policy from the sub-account level, disable the Inherit Content Security Policy toggle  and enable the Enable Content Security Policy toggle .
Disable Content Security Policy
To disable the Content Security Policy for the sub-account, disable the Enable Content Security Policy toggle.
Manage Individual Course Settings
The Content Security Policy automatically applies to all courses in the account or sub-account where the policy is enabled.
To disable the Content Security Policy for the course, navigate to the course Settings page and click the more options link .
Click the Disable Content Security Policy checkbox to disable the policy for the course .
To save your changes, click the Update Course Details button .