Chrome Version 80 Cookie Security Updates Can Break LTI

Published on: February 6, 2020
Linda Feng, Software Architect

Chrome version 80 was released Tuesday, February 4th, 2020. In an effort to improve security and privacy across the web, this new version contains updates to its cookie handling that may break LTI tool launches if the tool is embedded in a tool platform’s page. The update was not included with the original release, but will be rolled out using a phased approach starting February 18, 2020.

Starting with version 80, cookies used by external tools must include a setting of SameSite=None. They also need to include an additional Secure attribute so that they can only be accessed over HTTPS connections. If these are not in place, launching a tool that is embedded within a tool platform’s page will fail.  You will still be able to launch the tool in a new window.

For more information and important developer details, be sure to read this blog from Google:
Developers: Get Ready for New SameSite=None; Secure Cookie Settings

Stay up to date on the status of the rollout: https://www.chromium.org/updates/same-site

While Chrome is the first browser to implement this change, other browsers have announced that they also will be making the change in the coming months.

What Does This Mean To You?

Tool providers

To ensure that your tool will still work in all configurations and browsers, plan to update your cookies to include the new settings. Be aware that there may be some implementation complexities due to the fact that not all browsers support the new settings or may react to the setting values in different ways. Be sure to visit the link above to find out more.

Tool platforms

Be prepared for reports from your users that external tools are not loading in Chrome after version 80 is released. Encourage your tool providers to make the necessary upgrades. As a short-term workaround, consider changing your tools to launch in a new window, or advise your users to try a different browser.

Where Can I Find More Information?

IMS Global Learning Consortium: SameSite Cookie Issues for LTI Tool Providers
Google: Developers: Get Ready for New SameSite=None; Secure Cookie Settings
web.dev: SameSite cookies explained
Canvas: SameSite Cookies and Canvas
Blackboard: Prepare Your Integrations for Upcoming Changes to Google Chrome 80

For information about a new service that Unicon is offering to help you navigate the latest generation of LTI:
LTI Advisory: Putting the Pieces Together

Linda Feng photo

Linda Feng

Software Architect

Linda Feng is a software architect at Unicon, Inc., a leading provider of education technology consulting and digital services. Linda has deep experience in student information systems (SIS) integration, open standards, and big data/ learning analytics, most recently as Senior Product Manager for Canvas SIS Integrations and Canvas Data at Instructure. Prior to Instructure, Linda held the position of software architect for Oracle's Student Products Division. In the last several years, she served as co-chair of the IMS Global Learning Initiative Learning Information Services & Privacy Working Groups, helping to bring a new Enterprise interoperability standard to market.