Content Security Policy for Lesson Embeds
Content Security Policy for Lesson Embeds
Overview
Lesson pages now enforce Content Security Policy (CSP) headers to control which third-party sources are permitted to render embedded content. This protects learners from cross-site scripting (XSS) attacks while ensuring that video content from widely used platforms continues to load without interruption.
Trusted Video Providers
The following providers are explicitly allowlisted in the CSP and will render correctly inside lesson iframes:
| Provider | Embed Domain(s) |
|---|---|
| YouTube | youtube.com, youtube-nocookie.com |
| Vimeo | vimeo.com, player.vimeo.com |
| Wistia | wistia.com, fast.wistia.com, wistia.net |
| Loom | loom.com, www.loom.com |
Video embeds from these providers — including those imported via the Teachable course importer — will display correctly for all learners without any additional configuration.
What Gets Blocked
Any <iframe> or embedded resource originating from a domain not on the allowlist will be blocked by the browser before it loads. This includes:
- Arbitrary
<iframe>injections that may have been introduced through compromised or manually edited lesson content. - Embeds from unrecognised or unsupported third-party providers.
- Inline scripts and unauthorized resource origins that are characteristic of XSS payloads.
Blocked embeds will not cause page errors — the rest of the lesson content will continue to load normally.
Impact on Imported Content
If your courses were imported from a Teachable school, the importer preserves embed links from the original lessons. Embeds from YouTube, Vimeo, Wistia, and Loom will continue to work as expected after import.
If your Teachable content included embeds from providers not on the allowlist, those embeds will be blocked once the lesson is served through this platform. You will need to either:
- Replace the embed with an equivalent from a supported provider, or
- Contact support to discuss adding a new provider to the CSP allowlist.
Requesting Additional Providers
If your organisation relies on a video or content embed provider that is not currently allowlisted, please contact support with the following information:
- The provider name and the specific embed domain(s) required.
- Example lesson URLs where the embed is used.
Additions to the allowlist are reviewed on a case-by-case basis to ensure they do not introduce security risks.
Technical Background
CSP headers are delivered as HTTP response headers on all lesson page requests. The frame-src and child-src directives govern which origins may be loaded in frames. Restricting these directives is a defence-in-depth measure that prevents injected or malicious iframe content from executing in the context of a learner's authenticated session, even if other sanitisation layers are bypassed.
For a full reference on Content Security Policy, see the MDN Web Docs on CSP.