Hi Emiliano

This feature was added in Totara 13 and doesn't appear to be documented - I will create a ticket to update the documentation.

This added two capabilities 

• Upload a new unknown SCORM package ('mod/scorm:addnewpackage') - use unknown local SCORM package or change package URL/reference via standard  edit form

• Manage list of known trusted SCORM packages ('mod/scorm:managetrustedpackages') - manage the list of known trusted packages

Only trusted users should be given the  mod/scorm:addnewpackage permission

The changes to the interface include

1. New error messages in the module edit form - displayed when user adds unknown package without permissions
2. New report source for listing of all used local package files - this can be used for non-security management purposes too
3. New report source  Known trusted SCORM packages for listing and management of trusted content hashes - the main purpose is to allow removal of package trust

When upgrading from an site  < 13 the site admin needs to review/update existing roles with RISK_ALLOWXSS highlighted

On reading further it doesn't look like there is actually a whitelist to populate - the package needs to be uploaded by someone with mod/scorm:addnewpackage enabled

Regards