Have you noticed that certain embedded content or links within Canvas and other websites have stopped working recently? This might be because major browsers such as Google Chrome have begun adopting a secure-by-default model for browser cookies as part of an ongoing effort to improve privacy and security across the web.
How does this affect me?
The changes in default cookies settings may affect any webpage that uses third-party content. Examples of third-party content include embedding a Kaltura video on a Canvas Page, redirect links which do not open a new tab, and possibly other integrated external tools such as publisher content. This content may not display properly if the cookies sent by the third-party are not appropriately configured.
What are cookies?
You might have seen pop-up messages from websites asking you to agree to the use of cookies on their websites. An HTTP Cookie is a small piece of information sent from a website and stored on a user’s computer by the user’s web browser. Cookies are essential to the functioning of a website. For example, some track whether users are logged in, and some record items in an online shopping cart; others are used to collect and analyze information on site performance and usage, to remember user preferences, and to customize content and advertisements.
In general, there are two types of cookies: first-party cookies and third-party cookies. First-party cookies are those sent to your web browser by the website domain currently visible in the user’s address bar. Third-party cookies are those sent to your web browser by websites that do not match the current domain visible in the user’s address bar (such as a Kaltura video within a Canvas course).
What are the upcoming browser cookies settings changes?
Starting the week of February 17, 2020, Google Chrome plans to enforce new cookie restrictions to provide a safer secure-by-default model for cookies. Google plans to roll out these changes incrementally to users, so you may not immediately see the effects of these changes.
Under this new model, third-party cookies must explicitly indicate that they are intended to be third-party cookies, and they must also only be sent over an encrypted communication channel (HTTPS).
This means that any websites that rely on cookies to function properly will stop working when embedded in other pages, unless the developers update their code to indicate that their cookies can be used as third-party cookies.
How do I know if I am affected?
You are affected if the content you expected to see is not displayed, if you see an error message in lieu of expected content from an external tool, or if you are prompted repeatedly to log in even after you have successfully logged in already.
What can I do about it?
As a content consumer, there are a couple of options which might resolve the issue:
-
Open the content in its own new window. Some vendors may provide an error message that includes a link to open the content in a new window. Look for a link in the error message that enables you to view the content in a new window.
-
Use a different browser. If you are using a third-party tool, and you don’t have an easy way to open the content in a new browser window, then another option is to use a different browser. Note that this is not a permanent solution, as all web browsers will eventually enforce these new restrictions. At the time of writing, Firefox has not yet enforced the secure-by-default model for browser cookies.
As a content creator, provide an option to view third-party content. In Canvas, instructors and TAs can:
-
- select the “Load in a new tab” option when adding External URLs or External Tools to a Module.
- select the “Load in a new tab” option when adding an External Tool Assignment.
- select “Force open in new tab” when creating a Redirect link.
- select the “Load in a new tab” option when adding External URLs or External Tools to a Module.
We strongly recommend this approach to reduce troubleshooting and student questions, especially given that other browsers have announced plans to adopt the same approach as Chrome.
Known problems and suggested solutions
Learning Environments has tested the integrated learning tools connected to Canvas. As of February 14th, 2020, Learning Environments has found that the following vendors still need to update their tools in order for their content to display correctly when secure-by-default browser cookies are in place:
| Tool/Integration | Fix Status | Recommendation |
| Study.net | Vendor working on a fix. | Fix should be deployed prior to Chrome changes, if not, use Firefox temporarily. |
| Digication | Vendor working on a fix. | Fix should be deployed prior to Chrome changes, if not, use Firefox temporarily. |
| Follett Discovery (Bookstore) | Fix expected to be deployed Feb. 18th. | Fix should be deployed prior to Chrome changes, if not, use Firefox temporarily. |
| Inscribe | Vendor working on a fix. | Fix should be deployed prior to Chrome changes, if not, use Firefox temporarily. |
References
- This content has been adapted from the University of Chicago Canvas blog.
- For an explanation of HTTP cookies, see: “What Are Cookies?” by Norton by Symantec, and “HTTP cookie” in Wikipedia.
- For an explanation of how cookies work across different websites, see: SameSite cookies explained by Rowan Merewood.
- Details of the change in Chrome v80 can be found on https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
- Details regarding the timeline for the change can be found on https://www.chromium.org/updates/same-site