Alternate Domain

Rendering user-uploaded files from an alternate domain is a defense-in-depth security control. By uploading a piece of content containing potentially malicious scripts, a user could potentially perform session hijacking on the main Blackboard Learn session once a target user accesses the affected content.

As a method of protection against this type of activity, users can now access user-uploaded files and add custom HTML through an alternate domain. This security control leverages the browser security features, namely the "same-origin policy". As a result, malicious scripts within user-uploaded files that are rendered in one domain or subdomain are segregated from the cookies, and thus the session information, of the primary Blackboard Learn session.

This security control is another defensive layer in Blackboard's security framework to further protect users from potentially malicious user-uploaded files.

Blackboard recommends that administrators configure this security control on all of their Blackboard Learn implementations. This is a Blackboard security best practice.

Separate domain for rendering content

A separate domain or subdomain provides a more secure way of accessing user-uploaded files from a Blackboard Learn server. This separate domain helps prevent user-uploaded content containing malicious script from being used to compromise a user's Blackboard Learn session and thus user data. With a separate domain or subdomain configured, all content is delivered from the original domain to the separate domain, essentially forwarding content to the separate domain. To the user, this is completely seamless.

In the event a user-uploaded file contains malicious scripts to perform session hijacking, the browser's security controls, namely, the "same-origin policy," helps prevent the user's file rendering session from accessing the user's primary session. The user's primary session is used for activity such as taking assessments, viewing grades, and so on. Thus, the attack would be compartmentalized and the impact would be limited. While attackers might gain access to content they normally do not have access to, they will not gain access to a victim's primary session or across the whole site.

Special notes

The Blackboard Learn server located at the alternate hostname will only respond to webdav requests.

Any Blackboard Learn installation responding to a request at the alternate hostname cannot be used to perform normal Blackboard Learn functions. As a result, brands and other similar alternate file hostnames cannot use the same hostname as the file domain.

Please view the Hostname Configuration Management section of our release notes to review your hostname. 

The alternate domain information is pre-configured when you enable alternate domain. We recommend not changing these pre-configured values as Blackboard only supports one alternate domain. If you do want to change the pre-configured values, you can choose to use:

  • blackboard.com
  • the domain of your site if you use a vanity URL

Enable alternate domain for serving content

When setting up a separate domain, do not use hostnames that you have set up for brands. If you do, your brands will not function properly.

  1. Navigate to Admin Panel > Security > Alternate Domain for Serving Content.
  2. Select the box to enable Alternate Domain for Serving Content.
  3. The information populates with pre-configured content.

    We recommend not changing these pre-configured values as Blackboard only supports one alternate domain. If you do want to change the pre-configured values, you can choose to use blackboard.com or the domain of your site if you use a vanity URL.

  4. Select Submit.

If HTML authoring fails to load after configuring the alternate domain, please engage with support to ensure that your environment domains are setup and configured correctly. Review your hostname configuration settings under Admin Panel > Security > Hostname Configuration

Turn off alternate domain for serving content

  1. Navigate to Admin Panel > Security > Alternate Domain for Serving Content.
  2. Select the box to turn off Alternate Domain for Serving Content.
  3. Select Submit.