Have you noticed that certain embedded content or links within Canvas and other websites have stopped working recently? This might be because major browsers such as Google’s Chrome and Mozilla’s Firefox have begun adopting a secure-by-default model for browser cookies settings as part of an ongoing effort to improve privacy and security across the web.*
*The same issue has been observed in some versions of Apple’s Safari browser, but this is due to a bug in Safari itself.
What are cookies?You might have seen pop-up messages from websites asking you to agree to the use of cookies on their websites. A cookie or, more properly, HTTP Cookie, is a small piece of information sent from a website and stored on a user’s computer by the user’s web browser. Some cookies are essential to the functioning of a website, for example, those tracking whether users are logged in, and those recording items in an online shopping cart; others are used to collect and analyze information on site performance and usage, to remember user preferences, and to customize content and advertisements. Some cookies pose security concerns because they make it easier for unidentified parties to track user behavior on the web. |
What are the upcoming browser cookies settings changes?
On February 3, 2020, Chrome plans to enforce a new cookies model to provide protection against network attacks in v.80 of the browser. Under this new model, HTTP cookies must either 1) originate from and be used only for the website domain in the user’s address bar, or 2) be marked as accessible via a secure communication channel if they were to be used for a website domain different from the one in the user’s address bar. This model also requires web developers to properly attribute which kind of cookies they are using. Other browsers have announced plans to adopt the same approach as Chrome, although the timeline for their changes has not been made public.
How does this affect me?
The changes in default cookies settings may affect any webpage that uses third-party content. Examples of third-party content include embedding a Panopto video on a Canvas Page, the Box course navigation link added via Canvas integration, and possibly other integrated external tools such as publisher content. This content will be blocked from being displayed if the cookies are not appropriately configured.
How do I know if I am affected?
You are affected if the content you expected to see is not displayed, if you see an error message in lieu of expected content from an external tool, or if you are prompted repeatedly to log in even though you have provided the correct username and password.
What can I do about it?
As a content consumer, you have two options to view the content:
- Open the content in its own new window.
Some vendors may provide an error message that includes a link to open the content in a new window.
- Use a different browser.
Some vendors do not provide an error message or authentication fails repeatedly. If you are using one of these tools, and you don’t have an easy way to open the content in a new browser window, then your only option is to use a different browser. At the time of writing, Firefox has not enforced the secure-by-default model for browser cookies settings.
As a content creator, provide an option to view third-party content. In a Canvas course site, instructors and TAs can select the “Load in a new tab” option when they add External URLs or External Tools to a Module, or when adding an External Tool Assignment. We strongly recommend this approach to reduce the amount of troubleshooting and student questions, especially given that other browsers have announced plans to adopt the same approach as Chrome.
Known problems and suggested solutions
ATS has tested the integrated learning tools connected to Canvas available to all courses. As of January 30, 2020, ATS has found that the following vendors still need to update their tools in order for their content to display correctly when secure-by-default browser cookie settings are in place:
Tool/Integration | Problem | Recommendation |
UChicago Box | User cannot log in because authentication information does not pass correctly. | Use a different browser. |
Zoom | Users are not automatically logged in within Canvas. | Click link in the error message to open new window; or use a different browser. Follow the instructions on the screen if you are asked to log in again. |
References
- For an explanation of HTTP cookies, see: “What Are Cookies?” by Norton by Symantec, and “HTTP cookie” in Wikipedia.
- For an explanation of how cookies work across different websites, see: SameSite cookies explained by Rowan Merewood.
- Details of the change in Chrome v80, to be implemented on February 3, 2020, can be found on https://blog.chromium.org/2019/10/developers-get-ready-for-new.html