Canvas Stays Solid as Third-Party Cookies Crumble

Auburn
Instructure
Instructure
9
1490

Canvas.png

Understanding the Impact

 

Without proper adjustments, your tools may experience issues such as users having to sign in every time they launch, preferences not being saved, or even complete functionality breakdowns due to the lack of third-party cookie support.

It's important to note that this change by browsers will not directly impact Canvas itself. Just to expand on this a bit more, when it comes to cookies for a domain that's different from the one showing in the url bar, they'll be "partitioned" - meaning they'll only be accessible in the current tab and not across all tabs. As for why Canvas isn't impacted, it's because our cookies are considered first party, all belonging to the same domain.

Chrome has decided to delay enforcing this change until at least halfway through 2025. This means that there's no immediate urgency to address the third-party cookie issue for LTI tools. However, it's still recommended to plan ahead and implement a solution sooner rather than later to ensure a smooth transition when the change does take effect.

More information on these changes can be found here: Saying goodbye to third-party cookies in 2024 | MDN Blog. For information about a specific browser, it is always best to refer to the provider’s own announcements. 

 

Preparing Your LTI Tools for the Upcoming Third-Party Cookie Changes

 

Solutions for All LTI Tools

Whether you're developing LTI 1.1 or 1.3 tools, you can explore the following solutions to ensure your tool remains functional after the third-party cookie changes:

  1. Add Partitioned; to Your Cookies: This step is recommended for all tools to continue working within Chrome. Follow the CHIPS (Cookies Having Independent Partitioned State) standard by adding ‘Partitioned;’ to all of your cookies. This is a Chrome-only standard for now, but it should maintain the same behavior already implemented in Firefox and Brave. If you don't require Safari support, this may be a viable option and would be all that is needed to continue working in Chrome. 
    1. Follow the CHIPS Implementation Guide to add ‘Partitioned;’ to your cookies.
  2. Utilize Canvas's Platform Storage API: Although developed for LTI 1.3 tools, all tools can send postMessages and let Canvas store data that would normally be stored in cookies. However, this data will only be accessible via JavaScript and not on the server.
    1. Read about the Platform Storage API here and the postMessage types here
    2. The spec for 1.3 tools requires that you send messages to sso.canvaslms.com at a separate frame, but that isn’t required for 1.1 tools - you can send messages directly to the parent iframe.
  3. Remove Cookie Dependency: Store user preferences and other data on the server (e.g., Redis) instead of cookies. Let the LTI launch identify the current user instead of relying on sign-in. This option requires more work but will be future-proof.
  4. Launch Your Tool in a New Tab: Configure your tool to always launch in a new tab, where it will be considered a first-party site and have access to cookies. Note that this approach may not be suitable for all tools, as it goes against the seamless embedding principle of LTI. This solution should be considered as a final option, as it goes against the original intention of LTI integration within Canvas.
    1.  For 1.1 content items/deep linking, include placementAdvice: { windowTarget: "_blank" } (spec here, section 3.4.2). 
    2. For 1.3 content items, include window: { target: "_blank" } (spec here). 
    3. For standard tool launches, see the documentation for the requestFullWindowLaunch postMessage type.

 

Partners’ developers are welcome to reach out to our Developer Relations Managers for assistance in implementing the above changes. Feel free to email us at: Dev-Relations@instructure.com

By taking proactive steps to address the third-party cookie changes, you can ensure a seamless transition for your LTI tool users and maintain a positive user experience within the Canvas ecosystem. We encourage you to thoroughly test your chosen solution to ensure compatibility and functionality for your specific tool and Canvas.

9 Comments