Variable | Type | Default Value | Description |
---|---|---|---|
d2l.Security.BypassDateCheck |
Org |
ON |
Controls whether courses with start/end dates are displayed in the My Courses widget, and the Pulse mobile apps outside their date range (i.e. before or after their start and end dates). Only applicable to roles without the 'Access Past/Future Courses' setting. When turned on, users will be able to see upcoming courses and previous course offerings they are enrolled in. They will not be able to access these course offerings (the names will not appear as links to the course homepage, as is the case for current course offerings). Security.HasOrgUnitDateRestrictions must be enabled. |
d2l.Security.ContentApplySandbox |
Org | ON |
Enables sandboxing security feature for the Organization. When 'On' content security permissions and org unit content sandboxing become enabled. |
d2l.Security.ContentSandboxDefault |
OrgUnit | OFF | Determines default sandbox behaviour for the organization and other org units. Requires d2l.Security.ContentApplySandbox to be ON to take affect. Can also be set on the Course Offering Information page |
d2l.Security.DisableScriptCookies |
Org |
OFF |
Controls whether cookies used by scripts are disabled. |
d2l.Security.HasOrgUnitDate |
Org |
ON |
Controls whether org unit start/end date restrictions are enforced. When enabled, roles without the 'Access Past/Future Courses' setting will not be able to access date-restricted course offerings outside their date range. |
d2l.Security.WidgetsApplySandbox |
Org | ON |
When on, sandboxing will be enabled in Widgets. |
Api
Variable | Type | Default Value | Description |
---|---|---|---|
d2l.Security.Api.ApplicationsAvailableAsPublished |
Org |
ON |
Automatically enable applications from the master list. |
d2l.Security.Api.EnableApi |
Org |
ON |
Central switch for all of API. |
d2l.Security.Api.Sync.LmsId |
Org |
null |
ID for the central application provisioning service. |
d2l.Security.Api.TokenTimeout |
Org |
-1 |
Timeout for long-lived tokens in API calls in seconds. |
Content Security Policy
Variable | Type | Default Value | Description |
---|---|---|---|
d2l.Security.ContentSecurityPolicy.AddtnlAncestors |
Org | https://s.brightspace.com https://*.ally.ac https://leaplti.desire2learn.com/ https://leaplti-fr.brightspace.com/ https://tryleap.brightspace.com/ https://leaplti-es.desire2learn.com/ https://leaplti-ptbr.desire2learn.com/ https://leaplti-us.brightspace.com/ https://leaplti-apac.brightspace.com/ https://leaplti-emea.brightspace.com/ https://leapqa.net https://leaplti-ap.brightspace.com https://login.microsoftonline.com/ https://login.live.com/ https://cdn.lcs.brightspace.com/ | Web pages that are allowed to embed the site within a frame in addition to itself. See Announcement about Content Security Policy Usage within Brightspace for examples. |
d2l.Security.ContentSecurityPolicy.HeaderEnabled |
Org | ON | Enables the Content-Security-Policy HTTP header. |
d2l.Security.ContentSecurityPolicy.ReportingOnly |
Org | OFF | Whether to only report Content-Security-Policy violations on Login Pages, rather than enforcing the policy. Note: Enforced violations are still reported when this is set to "off" |
d2l.Security.ContentSecurityPolicy.SiteWideReportingOnly |
Org | ON | Whether to only report Content-Security-Policy violations for all pages except Login Pages, rather than enforcing the policy. Note: Enforced violations are still reported when this is set to "off" |
d2l.Security.ContentSecurityPolicy.SvgAllowScripts |
OrgUnit | OFF | Whether or not SVG image content is allowed to execute javascript inside its CSP sandbox |