Hi, all.
I'm having a slight problem configuring Nginx for the Numbas LTI provider. Our security people are asking me to lock it down pretty tightly before we can let students access it without needing to be on the VPN, and so far I've managed to get most of it accomplished.
I'm running into an issue, though, where if I set a Content-Security-Policy header for Nginx and then click on a placement in Blackboard, the LTI launch will look like it's happening, but then the actual Numbas resource will never load in the frame.
I haven't had a chance to look in the browser tools to see what might be happening--I've temporarily disabled the header so our digital learning team can keep testing for now--but I was wondering if I'm just missing something really obvious. This is the header as it's currently set in nginx.conf:
add_header Content-Security-Policy "default-src 'self'; script-src 'self';" always;
I'm guessing I might need to add the hostnames for our Blackboard system in, but I'm not as up on my Nginx as I should be. Has anyone else run into a similar issue, and if so, how did you fix it? Thanks in advance.
--
Tom Salyers
University of Sheffield