In February 2020, Google released version 80 of its Chrome browser, which introduces Google’s plan to phase out third-party cookies sometime in 2022 . With their phased approach, they also introduced a same-site cookie attribute..
In March 2020, Apple released Safari 13.1, which turned full cookie blocking privacy feature on by default. This made Safari the first mainstream browser to implement a strict cross-site tracking policy.
Preventing third-party cookies may introduce issues or unexpected behavior for LTI Tools that rely on them, specifically if the tool is being rendered within an iframe in Brightspace.
Platforms, like D2L’s Brightspace, cannot make changes to fix potential problems a tool may encounter if they require cookies.
Here are some alternative solutions to mitigate tools that cannot immediately adjust their cookie policies for Safari:
- Set LTI links for problematic tools to “Open as External Resource”. This setting will open the link in a new window instead of rendering it in an iframe. Visiting and interacting with the tool in a new window (first-party website), does not delete the cookies, using an iframe may result in deleted cookies and website data.
- For tools that support LTI 1.1, this is done each time an LTI link is added or updated in content by editing the link properties in the module.
- For tools that support LTI Advantage/1.3, LTI administrators can choose at the Deployment level if all links below that specified level should automatically be set to Open as External Resource (note, this only affects new links created). Alternatively, ad hoc links can also be updated in content.
- Update security settings to disable “Prevent cross-site tracking”.
Important: This solution is not recommended by D2L.
The LTI specification is published by 1Edtech (formerly IMS Global). 1Edtech members, which includes platforms, institutions, and tools, all participate in standards creation, adoption, and implementation. For more information on 1Edtech’s recommendations, please visit SameSite Cookie Issues for LTI Tool Providers. For more information on cookie problems related to OIDC Login with LTI Client Side postMessages and using window postMessages to store and validate state instead of cookies, please refer to the following documents: