Chrome Version 80 Cookie Security Updates Can Break LTI
Written by Linda Feng,
Software Architect
Chrome version 80 was released Tuesday, February 4th, 2020. In an effort to improve security and privacy across the web, this new version contains updates to its cookie handling that may break LTI tool launches if the tool is embedded in a tool platform’s page. The update was not included with the original release, but will be rolled out using a phased approach starting February 18, 2020.
Starting with version 80, cookies used by external tools must include a setting of SameSite=None. They also need to include an additional Secure attribute so that they can only be accessed over HTTPS connections. If these are not in place, launching a tool that is embedded within a tool platform’s page will fail. You will still be able to launch the tool in a new window.
While Chrome is the first browser to implement this change, other browsers have announced that they also will be making the change in the coming months.
What Does This Mean To You?
Tool providers
To ensure that your tool will still work in all configurations and browsers, plan to update your cookies to include the new settings. Be aware that there may be some implementation complexities due to the fact that not all browsers support the new settings or may react to the setting values in different ways. Be sure to visit the link above to find out more.
Tool platforms
Be prepared for reports from your users that external tools are not loading in Chrome after version 80 is released. Encourage your tool providers to make the necessary upgrades. As a short-term workaround, consider changing your tools to launch in a new window, or advise your users to try a different browser.
Linda Feng is a Principal Software Architect at Unicon, Inc., a leading provider of education technology consulting and digital services. Linda has deep experience in student information systems (SIS) integration, open standards, and big data/ learning analytics, most recently as Senior Product Manager for Canvas SIS Integrations and Canvas Data at Instructure. Prior to Instructure, Linda held the position of software architect for Oracle's Student Products Division. In the last several years, she served as co-chair of the IMS Global Learning Initiative Learning Information Services & Privacy Working Groups, helping to bring a new Enterprise interoperability standard to market.
