Content Security Policy Settings API
BETA: This API resource is not finalized, and there could be breaking changes before its final release.
API for enabling/disabling the use of Content Security Policy headers and configuring allowed domains
Get current settings for account or course CspSettingsController#get_csp_settings
BETA: This API endpoint is not finalized, and there could be breaking changes before its final release.
GET /api/v1/courses/:course_id/csp_settings
url:GET|/api/v1/courses/:course_id/csp_settings
GET /api/v1/accounts/:account_id/csp_settings
url:GET|/api/v1/accounts/:account_id/csp_settings
Update multiple modules in an account.
API response field:
-
enabled
Whether CSP is enabled.
-
inherited
Whether the current CSP settings are inherited from a parent account.
-
settings_locked
Whether current CSP settings can be overridden by sub-accounts and courses.
-
effective_whitelist
If enabled, lists the currently allowed domains (includes domains automatically allowed through external tools).
-
tools_whitelist
(Account-only) Lists the automatically allowed domains with their respective external tools
-
current_account_whitelist
(Account-only) Lists the current list of domains explicitly allowed by this account. (Note: this list will not take effect unless CSP is explicitly enabled on this account)
Enable, disable, or clear explicit CSP setting CspSettingsController#set_csp_setting
BETA: This API endpoint is not finalized, and there could be breaking changes before its final release.
PUT /api/v1/courses/:course_id/csp_settings
url:PUT|/api/v1/courses/:course_id/csp_settings
PUT /api/v1/accounts/:account_id/csp_settings
url:PUT|/api/v1/accounts/:account_id/csp_settings
Either explicitly sets CSP to be on or off for courses and sub-accounts, or clear the explicit settings to default to those set by a parent account
Note: If “inherited” and “settings_locked” are both true for this account or course, then the CSP setting cannot be modified.
Request Parameters:
Parameter | Type | Description | |
---|---|---|---|
status | Required | string |
If set to “enabled” for an account, CSP will be enabled for all its courses and sub-accounts (that have not explicitly enabled or disabled it), using the allowed domains set on this account. If set to “disabled”, CSP will be disabled for this account or course and for all sub-accounts that have not explicitly re-enabled it. If set to “inherited”, this account or course will reset to the default state where CSP settings are inherited from the first parent account to have them explicitly set.
Allowed values: |
Lock or unlock current CSP settings for sub-accounts and courses CspSettingsController#set_csp_lock
BETA: This API endpoint is not finalized, and there could be breaking changes before its final release.
PUT /api/v1/accounts/:account_id/csp_settings/lock
url:PUT|/api/v1/accounts/:account_id/csp_settings/lock
Can only be set if CSP is explicitly enabled or disabled on this account (i.e. “inherited” is false).
Request Parameters:
Parameter | Type | Description | |
---|---|---|---|
settings_locked | Required | boolean |
Whether sub-accounts and courses will be prevented from overriding settings inherited from this account. |
Add an allowed domain to account CspSettingsController#add_domain
BETA: This API endpoint is not finalized, and there could be breaking changes before its final release.
POST /api/v1/accounts/:account_id/csp_settings/domains
url:POST|/api/v1/accounts/:account_id/csp_settings/domains
Adds an allowed domain for the current account. Note: this will not take effect unless CSP is explicitly enabled on this account.
Request Parameters:
Parameter | Type | Description | |
---|---|---|---|
domain | Required | string |
no description |
Add multiple allowed domains to an account CspSettingsController#add_multiple_domains
BETA: This API endpoint is not finalized, and there could be breaking changes before its final release.
POST /api/v1/accounts/:account_id/csp_settings/domains/batch_create
url:POST|/api/v1/accounts/:account_id/csp_settings/domains/batch_create
Adds multiple allowed domains for the current account. Note: this will not take effect unless CSP is explicitly enabled on this account.
Request Parameters:
Parameter | Type | Description | |
---|---|---|---|
domains | Required | Array |
no description |
Retrieve reported CSP Violations for account CspSettingsController#csp_log
BETA: This API endpoint is not finalized, and there could be breaking changes before its final release.
GET /api/v1/accounts/:account_id/csp_log
url:GET|/api/v1/accounts/:account_id/csp_log
Must be called on a root account.
Remove a domain from account CspSettingsController#remove_domain
BETA: This API endpoint is not finalized, and there could be breaking changes before its final release.
DELETE /api/v1/accounts/:account_id/csp_settings/domains
url:DELETE|/api/v1/accounts/:account_id/csp_settings/domains
Removes an allowed domain from the current account.
Request Parameters:
Parameter | Type | Description | |
---|---|---|---|
domain | Required | string |
no description |