Canvas Stays Solid as Third-Party Cookies Crumble

Auburn
Instructure
Instructure
10
2951

Canvas.png

Understanding the Impact

 

Without proper adjustments, your tools may experience issues such as users having to sign in every time they launch, preferences not being saved, or even complete functionality breakdowns due to the lack of third-party cookie support.

It's important to note that this change by browsers will not directly impact Canvas itself. Just to expand on this a bit more, when it comes to cookies for a domain that's different from the one showing in the url bar, they'll be "partitioned" - meaning they'll only be accessible in the current tab and not across all tabs. As for why Canvas isn't impacted, it's because our cookies are considered first party, all belonging to the same domain.

Chrome has decided to delay enforcing this change until at least halfway through 2025. This means that there's no immediate urgency to address the third-party cookie issue for LTI tools. However, it's still recommended to plan ahead and implement a solution sooner rather than later to ensure a smooth transition when the change does take effect.

More information on these changes can be found here: Saying goodbye to third-party cookies in 2024 | MDN Blog. For information about a specific browser, it is always best to refer to the provider’s own announcements. 

 

Preparing Your LTI Tools for the Upcoming Third-Party Cookie Changes

 

Solutions for All LTI Tools

Whether you're developing LTI 1.1 or 1.3 tools, you can explore the following solutions to ensure your tool remains functional after the third-party cookie changes:

  1. Add Partitioned; to Your Cookies: This step is recommended for all tools to continue working within Chrome. Follow the CHIPS (Cookies Having Independent Partitioned State) standard by adding ‘Partitioned;’ to all of your cookies. This is a Chrome-only standard for now, but it should maintain the same behavior already implemented in Firefox and Brave. If you don't require Safari support, this may be a viable option and would be all that is needed to continue working in Chrome. 
    1. Follow the CHIPS Implementation Guide to add ‘Partitioned;’ to your cookies.
  2. Utilize Canvas's Platform Storage API: Although developed for LTI 1.3 tools, all tools can send postMessages and let Canvas store data that would normally be stored in cookies. However, this data will only be accessible via JavaScript and not on the server.
    1. Read about the Platform Storage API here and the postMessage types here
    2. The spec for 1.3 tools requires that you send messages to sso.canvaslms.com at a separate frame, but that isn’t required for 1.1 tools - you can send messages directly to the parent iframe.
  3. Remove Cookie Dependency: Store user preferences and other data on the server (e.g., Redis) instead of cookies. Let the LTI launch identify the current user instead of relying on sign-in. This option requires more work but will be future-proof.
  4. Launch Your Tool in a New Tab: Configure your tool to always launch in a new tab, where it will be considered a first-party site and have access to cookies. Note that this approach may not be suitable for all tools, as it goes against the seamless embedding principle of LTI. This solution should be considered as a final option, as it goes against the original intention of LTI integration within Canvas.
    1.  For 1.1 content items/deep linking, include placementAdvice: { windowTarget: "_blank" } (spec here, section 3.4.2). 
    2. For 1.3 content items, include window: { target: "_blank" } (spec here). 
    3. For standard tool launches, see the documentation for the requestFullWindowLaunch postMessage type.

 

Partners’ developers are welcome to reach out to our Developer Relations Managers for assistance in implementing the above changes. Feel free to email us at: Dev-Relations@instructure.com

By taking proactive steps to address the third-party cookie changes, you can ensure a seamless transition for your LTI tool users and maintain a positive user experience within the Canvas ecosystem. We encourage you to thoroughly test your chosen solution to ensure compatibility and functionality for your specific tool and Canvas.

10 Comments
chriscas
Community Coach
Community Coach

Hi @Auburn,

Thanks for posting about this.  As a Canvas admin for my institution, we've already run into some trouble with tools trying to conform to this spec, so I'm sure this guidance may really help out developers.

I don't mean to hijack the post too much, but around item #4, could Instructure help out developers by ensuring that opening in a new tab works for all tool placements?  I know right now, while Canvas accepts the config option, opening in a new tab does not work for either global_nav or user_nav placements.  I have submitted a ticket on this in the past, as well as a feature idea (after being directed to do that by support).  I'm hoping this would be an easy fix by someone with knowledge at Instructure, and if it's now a recommendation to open in a new tab where possible, seems like a good time to address this.

-Chris

Auburn
Instructure
Instructure
Author

Hey @chriscas!

Thank you for bringing that to our attention. We will definitely take it into consideration for future work. The option to launch in a new tab is typically viewed as a last resort because it can disrupt the seamless integration experience that LTI tools aim to provide within Learning Management Systems like Canvas. If you have any partners facing challenges with implementing changes to address cookie depreciation issues, feel free to share our contact information with them. We would be more than happy to assist them with their integration efforts. 😊

dbrace
Community Coach
Community Coach

@Auburn, is this blog post primarily targeted at developers?

As far as what @chriscasmentioned for Global Navigation and User Navigation LTI placements, we have experienced some inconsistent experiences with launching in a new tab and it seems to be related to how individual web browsers (Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari) deal with frames and/or pop-ups (and maybe settings/preferences configured by individual users).

As an example, we have an online tutoring platform integration with our Canvas LMS instance and it has LTI placements for Course Navigation and User Navigation (at least at the time of setting it up, the vendor does not officially support User Navigation but it sorta/kinda works).  We decided to include User Navigation because not every course/instructor uses the Canvas LMS.

even though every course/section has a shell and we wanted to reduce the likelihood of their being an obstacle that would keep a student from accessing that resource

the vendor/platform told us that there would be duplicate user accounts if we used SSO and LMS/LTI at the same time, even though they should be able to prevent that from happening by looking up user account information before creating the duplicate account, but I digress

For this resource, Google Chrome, Microsoft Edge, and Mozilla Firefox use a frame but Apple Safari opens (or attempts to but it is initially blocked and needs to be allowed) in a reduced-sized (and web browser functionality) separate/new window (without being able to see the URL/domain being accessed).

In my example, my preference would be for all of the major web browsers to be consistent (I know, I can wish) and to open this resource in a new tab in the same web browser window and have the full web browser experience/functionality.  I believe this because loading a third-party resource in a different tab allows them to continue to still have full access to the Canvas LMS and the third-party resource without needing to manually open an additional Canvas LMS tab.  Loading a third-party resource within a Canvas LMS frame may provide a seamless experience but it also can be more restrictive with what a user can or cannot do on their own without taking additional manual steps.  Forcing a new tab can also help with troubleshooting and when using the Canvas mobile apps.

So, circling-back, please allow launching tools in a new tab for more placements even if it is considered to be a last resort for the purposes of this post.

pwhitmer8
Community Explorer

@Auburn Thank you very much for this post. As the director of a 3rd party platform, I would vastly prefer our solution to be used "in-frame" and we optimized our original designs as such. But after continuing to see authentication issues, we are now doing our best to enforce placements and links added that open in a new tab. But this is a less than ideal solution, that clearly is a worse experience for students - but that's preferred to errors and the like.

Let me second the motion for Instructure to provide new tab options for all LTI 1.3 placements, until consistent cookie solutions can be rolled out across all major browsers and platforms. That's especially true since there is no single, easy-to-implement solution. 

We are likely to follow the same order recommended above. A little cheekily, since we'll start off with CHiPs, we're internally calling the effort, PONCH (Proposed One Need CompreHensive solution).

For non-developers - I can say that updating to using even 1 of the solutions above will take us 1-2 months of time per solution, which makes it difficult to do other, equally important work. We already do #4 and will probably update in the order above. That's not to say "poor us", but that there are tradeoffs that many of your providers will have to make, and it will take time. Have patience as you can - they likely know it's not a great experience, and since there's no "magic bullet" yet, it will be an uneven experience for a while. 

dbrace
Community Coach
Community Coach

@pwhitmer8, I am not sure what platform you are the director of (and I am not asking you to "out yourself") but I appreciate how open, transparent, and honest you were with your comment.

dkpst5
Community Participant

@pwhitmer8 Yes, thank you! The "in frame" experience is the gold-standard that should be the goal. It's a much better experience for most applications than the "pop out" answer.

pwhitmer8
Community Explorer

@dkpst5 100% . The maddening thing that we see is that in a class, 75% of students might have no problems accessing our platform, but since the other 25% become the instructor's unnecessary problem, we feel we don't have a choice but to make it worse for everyone, so all can access without significant issue. It really stinks. 

The steps from @Auburn are very promising. 

chriscas
Community Coach
Community Coach

Hi @Auburn,

From my perspective as an admin, it's very perplexing at why open in new tab works for something like course navigation placement, but not global navigation or user navigation.  I don't realy see much of a difference from a user experience perspective there.  The one place where there is more of a UX issue because of module navigation, is assignment placements, but those actually can open in a new tab (albeit with a button).

I would agree with everyone that opening within the frame is probably the most elegant user experience, when it works correctly.  Aside from the cookie issues, there are numerous times where the framed experience creates double scrollbars, which is a pet-peeve of mine.  I'd rather have an experience that works flawlessly in a new tab than something that works right for 98% of users in a frame, but that's just my own preference.

-Chris

 

dbrace
Community Coach
Community Coach

@chriscas, I really do agree with your ...

"I'd rather have an experience that works flawlessly in a new tab than something that works right for 98% of users in a frame, but that's just my own preference."

... statement.

For me opening in a new tab:

  1. avoids problems
  2. makes troubleshooting easier
  3. directs a user to the exact intended location
  4. let's me/users see what web elements are Canvas and which belong to the third-party tool (frames blur the lines, especially when the designs are similar)
  5. allows for more flexibility

I do understand that new tabs can lead to some web browser navigation confusion (don't we all have multiple tabs opened all the time) or cause unwanted distractions.

dbrace
Community Coach
Community Coach

Hello @Auburn, based on news from Google today (Monday, July 22nd) at https://privacysandbox.com/intl/en_us/news/privacy-sandbox-update, are you or someone else at Instructure able to comment on whether this blog post from Thursday, May 30th is still relevant?