Replace X_FRAME_OPTIONS with CSP

tl-its-umich-edu / canvas-app-explorer

A Web application that presents a list of Canvas external (LTI) tools with details. When integrated within Canvas, the user can search for specific LTI tool(s), and add or remove those tools from Canvas courses.

Apache License 2.0

4 stars 6 forks source link

Replace X_FRAME_OPTIONS with CSP #220

Closed jonespm closed 2 years ago

jonespm commented 2 years ago

X_FRAME_OPTIONS was only intended to be used as a quick temporary test. We should replace that with CSP similar to MyLA.

https://github.com/tl-its-umich-edu/canvas-app-explorer/blob/210fe85bc49e0e8a8e7051430931b650fa1111d8/backend/settings.py#L151

zqian commented 2 years ago

verified LTI integration works in Canvas test instance after the following setting is enabled in .env file:

CSP_FRAME_ANCESTORS=canvas-test.it.umich.edu