SameSite Cookies and Canvas

tfullwood
Instructure
Instructure
11
10993

tl;dr tools that utilize cookies and integrate with Canvas will need to add SameSite=None and Secure attributes to their cookies to maintain current behavior.

Last year Chrome announced they'll be implementing a new cookie model in an upcoming version of Chrome (scheduled to release in February). Additionally Mozilla (Firefox) and Microsoft have announced their intention to support the new model as well. We've heard a few questions recently about how this update will impact Canvas so I'll answer a few of the most pressing questions below and provide a few additional resources.

Q: What changes does Canvas need to make?

A: Canvas itself doesn't need to make any updates. However, Instructure does maintain a number of LTI tools that integrate with Canvas. Some of these tools may need to be updated and we have been working internally to ensure these updates are made.

Q: As an LMS admin do I need to update anything?

A: There's no need to update anything in Canvas. But if your institution has developed an LTI tool or maintains an LTI tool your development team may need to make some changes. Additionally you'll want to verify any 3rd party tools you use have made the appropriate changes as well.

Q: I maintain an LTI tool that utilizes cookies, what do I need to do to make sure my LTI tool works the same after Chrome v80 releases?

A: You'll need to add a couple of attributes to each cookie. The first attribute SameSite=None will maintain the same behavior and the secure attribute is required when setting the SameSite attribute.

Q: How can I make sure we won't have any issues before Chrome v80 is released?

A: Make sure you have updated to Chrome 77+. You can open your Chrome developer tools and navigate to the Console tab. Once this tab is open click on your LTI tool(s) in the browser and look for a warning that begins with "A cookie associated with a cross-site resource ...". This warning will also provide a URL which should help you track down who needs to begin making updates.

Q: Where can I find more information?

11 Comments
matthew_buckett
Community Contributor

If you add SameSite=None to the cookie for your LTI then this will break some older clients: SameSite=None: Known Incompatible Clients - The Chromium Projects 

One client that sticks out here is iOS 12, so if you want iOS 12 to still be able to use your LTI you need to not send the SameSite attribute when it's an old iOS version.

matthew_buckett
Community Contributor

Just as a followup for our tools we ended up sending 2 session cookies back (one with SameSite=NONE) and one without the SameSite attribute. This means Chrome 80+ will use the SameSite cookie and old versions of Safari will use the one without the SameSite attribute.

This seems to work reasonably well and means you aren't having to whitelist/blacklist user agents.

rmurchshafer
Community Coach
Community Coach

 @tfullwood ‌ . I'm doing some testing with this to make sure our own SAML SSO is going to still work.  In my testing I've set Firefox config preferences for network.cookie.sameSite.laxByDefault to True.  From my understanding this should mimic what is going to happen with Chrome 80 for sites that have not specified a SameSite setting.  My experience on multiple instances of Canvas, some using SSO and some with local Canvas accounts is that the following message shows up on the Dashboard and I can't stay logged in to Canvas.  

336478_pastedImage_1.png

Is the method I'm using of setting network.cookie.sameSite.laxByDefault to True not a valid way to test things out, or is there something in Canvas that does need to be change?  If my testing is valid I don't think anyone is going to be able to stay logged in after the update to Chrome 80.  

Thanks for any insight,

Rick

atcarver
Community Contributor

 @tfullwood ‌ - any word on this getting updated for LTIs Instructure manages (such as Box)? The Box integration breaks in testing on Chrome 80, and seemingly beyond a cookie issue.

cronek
Community Participant

In Firefox I think you have to set BOTH  network.cookie.sameSite.laxByDefault and network.cookie.sameSite.noneRequiresSecure to True in order to emulate the new default setup.  Although, it looks like you are finding a breakage from just the one, anyway.  I'm seeing a couple tool providers, Instructure's own Rollcall tool for instance, that are only setting the SameSite but NOT the secure.  Chrome's console complains like this when I navigate to the Attendance tool:

The not secure could actually be due to the console saying the rollcall URL was "http" and not "https".  My understanding is both attributes have to be set on the cookie AND the traffic has to be over https.

Good luck testing,

~Kelly

millerjm
Community Champion

erinhallmark‌:  Can we possibly get an update on this?  (The original author of this article who has been tagged multiple times has not replied so I'm tagging you)

The RollCall Attendance Tool does throw errors related to SameSite cookies when the page is loaded due to it not being a secure link.  Will this be fixed to be compliant with the new requirements?  Here is the error:  

 

A cookie associated with a resource at http://rollcall-beta.instructure.com/ was set with `SameSite=None` but without `Secure`. A future release of Chrome will only deliver cookies marked `SameSite=None` if they are also marked `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5633521622188032.

thanks so much!

Joni

erinhmcmillan
Instructure Alumni
Instructure Alumni

Hi, Joni,

I know the team that manages the attendance tool was made aware of this today. The original guidance the team received and implemented was apparently not the same as in this message, but they can get it corrected and will work on it ASAP. Smiley Happy

Thanks,

Erin

karl
Instructure Alumni
Instructure Alumni

We tested the following apps: Box, Quizlet, YouTube, Khan Academy, Redirect Tool, Twitter, Vimeo. We only saw an issue with Box who I opened up a support ticket with regarding their embed UI we use in the LTI tool. They responded this morning they are aware of this issue and working on a fix and will let me know when this is resolved.

RobDitto
Community Champion

A few of us are discussing third-party vendor remediation in the Canvas Admins space at:

Kelvin_Dean
Community Contributor

Will iframes be affected by the SameSite cookie issue? I use iframes frequently.

jsimon3
Community Participant

Yes it does, but most larger sites have already explicitly stated samesite since the default switched to lax.