I'm developing a canvas integration that uses LTI 1.3 to embed an iframe on a page in canvas, and am running into an issue. When I check Safari's "Prevent cross-site tracking" checkbox, I am able to embed my LTI tool on a canvas page in our test canvas instance (https://<domain>-dev.instructure.com).
However, when I run the same code in https://<domain>.test.instructure.com I get this response:
Array ( [utf8] => ✓ [authenticity_token] => STRING== [error] => login_required [error_description] => Must have an active user session [state] => state-STRING )
I'm not too sure at this point where the problem is - I haven't followed the requests closely enough to see what cookies aren't being set (I presume) that would be required for canvas to identify the user within the iframe, but I'm also confused why dev/test instances are different enough that one will work, and one won't.
My application does not need to set a cookie for this to work - I'm encrypting state and sending it as a querystring parameter as part of my target_link_uri.
To add additional "mystery" to this issue, it's working fine (when Safari is set to "Prevent cross-site tracking") in our production instance of Canvas. I suppose there could be advanced heuristics in how safari sees certain domains (ie, I visit beta/dev and production all the time - I do my final testing on my test domain but infrequently access it).