cancel
Showing results for 
Search instead for 
Did you mean: 
cronek
Learner

Cross-site tracking and SameSite cookies with LTI

Jump to solution

Now that Safari is default blocking all third party cookies and Chrome is implementing SameSite cookie restrictions as a bridge to that same thing, what is the method External Tool developers should use to launch their tool within the course frame?  Does LTI 1.3 or LTI Advantage still use a third party cookie?

Labels (1)
1 Solution

Accepted Solutions
erinhmcmillan
Community Team
Community Team

Hi, Kelly,

I noticed that you hadn't received an update to your question. I'd recommend checking out this document: SameSite Cookies and Canvas. It has links to resources you may need, and information about what to do if you maintain an LTI tool that uses cookies. Also check out the existing comments—they may help you out as well.

Good luck!

Erin

View solution in original post

0 Kudos
6 Replies
erinhmcmillan
Community Team
Community Team

Hi, Kelly,

I noticed that you hadn't received an update to your question. I'd recommend checking out this document: SameSite Cookies and Canvas. It has links to resources you may need, and information about what to do if you maintain an LTI tool that uses cookies. Also check out the existing comments—they may help you out as well.

Good luck!

Erin

View solution in original post

0 Kudos

Thanks, Erin,

That post from Trevor is old and only addresses the SameSite=Lax intermediate step for Chrome.  Here I am asking about the Canvas plan to support LTI within the course content frame in light of Safari, and soon all major browsers, blocking ALL third party cookies.  Is Canvas going to document the method LTI vendors should use to keep their content within the course frame.  The Canvas LTI documentation I can find is years old and predates the 3rd party security browsers are moving towards. 

It is looking like the only solution is to force an External Tool to always launch in a new window or tab, which ruins the Canvas integrated navigation.  I'm hoping Canvas comes out soon with some new documentation for developers.

Thanks, again,

~Kelly

Hi, Kelly,

Thanks for the clarification, and apologies if I initially misunderstood your question. I will see what I can find out from our developers!

Erin

I am also interested in knowing how an LTI tool provider can have the LTI content played within the course content.

karl
Instructure
Instructure

I just posted up this article written by one of our engineers that should help. Safari 13.1 and LTI Integration

tgrant
Surveyor

I would just like to add from the school support perspective this is already happening in Chrome as well. I am frequently providing support to faculty and students alike where Google Drive integration and other core LTIs constantly request access and fail in a loop only to find that enabling third party cookies for that site is the answer. Often times major updates to the browser wipe out these settings and revert back to blocking all third party cookies again. It looks like the steps linked in karl's post are work arounds at best.