Chrome Version 80 Cookie Security Updates Can Break LTI
Chrome version 80 was released Tuesday, February 4th, 2020. In an effort to improve security and privacy across the web, this new version contains updates to its cookie handling that may break LTI tool launches if the tool is embedded in a tool platform’s page. The update was not included with the original release, but will be rolled out using a phased approach starting February 18, 2020.
Starting with version 80, cookies used by external tools must include a setting of SameSite=None. They also need to include an additional Secure attribute so that they can only be accessed over HTTPS connections. If these are not in place, launching a tool that is embedded within a tool platform’s page will fail. You will still be able to launch the tool in a new window.
For more information and important developer details, be sure to read this blog from Google:
Developers: Get Ready for New SameSite=None; Secure Cookie Settings
Stay up to date on the status of the rollout: https://www.chromium.org/updates/same-site
While Chrome is the first browser to implement this change, other browsers have announced that they also will be making the change in the coming months.
What Does This Mean To You?
To ensure that your tool will still work in all configurations and browsers, plan to update your cookies to include the new settings. Be aware that there may be some implementation complexities due to the fact that not all browsers support the new settings or may react to the setting values in different ways. Be sure to visit the link above to find out more.
Be prepared for reports from your users that external tools are not loading in Chrome after version 80 is released. Encourage your tool providers to make the necessary upgrades. As a short-term workaround, consider changing your tools to launch in a new window, or advise your users to try a different browser.
Where Can I Find More Information?
IMS Global Learning Consortium: SameSite Cookie Issues for LTI Tool Providers
Google: Developers: Get Ready for New SameSite=None; Secure Cookie Settings
web.dev: SameSite cookies explained
Canvas: SameSite Cookies and Canvas
Blackboard: Prepare Your Integrations for Upcoming Changes to Google Chrome 80
For information about a new service that Unicon is offering to help you navigate the latest generation of LTI:
LTI Advisory: Putting the Pieces Together