SameSite Cookies and Canvas

tfullwood
Instructure
Instructure
11
10971

tl;dr tools that utilize cookies and integrate with Canvas will need to add SameSite=None and Secure attributes to their cookies to maintain current behavior.

Last year Chrome announced they'll be implementing a new cookie model in an upcoming version of Chrome (scheduled to release in February). Additionally Mozilla (Firefox) and Microsoft have announced their intention to support the new model as well. We've heard a few questions recently about how this update will impact Canvas so I'll answer a few of the most pressing questions below and provide a few additional resources.

Q: What changes does Canvas need to make?

A: Canvas itself doesn't need to make any updates. However, Instructure does maintain a number of LTI tools that integrate with Canvas. Some of these tools may need to be updated and we have been working internally to ensure these updates are made.

Q: As an LMS admin do I need to update anything?

A: There's no need to update anything in Canvas. But if your institution has developed an LTI tool or maintains an LTI tool your development team may need to make some changes. Additionally you'll want to verify any 3rd party tools you use have made the appropriate changes as well.

Q: I maintain an LTI tool that utilizes cookies, what do I need to do to make sure my LTI tool works the same after Chrome v80 releases?

A: You'll need to add a couple of attributes to each cookie. The first attribute SameSite=None will maintain the same behavior and the secure attribute is required when setting the SameSite attribute.

Q: How can I make sure we won't have any issues before Chrome v80 is released?

A: Make sure you have updated to Chrome 77+. You can open your Chrome developer tools and navigate to the Console tab. Once this tab is open click on your LTI tool(s) in the browser and look for a warning that begins with "A cookie associated with a cross-site resource ...". This warning will also provide a URL which should help you track down who needs to begin making updates.

Q: Where can I find more information?

11 Comments