Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67175

Chrome 80 support

XMLWordPrintable

    • MOODLE_35_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE
    • MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE
    • MDL-67175-master
    • Hide

      Testing requirements:

      • Chrome (version >= 68)
      • Firefox
      • IE
      • Edge
      • PHP 7.0
      • PHP 7.2
      • PHP 7.3

      Setup

      1. Open Chrome
      2. Visit chrome://flags/#same-site-by-default-cookies
        1. Enable the experiment
      3. Visit chrome://flags/#cookies-without-same-site-must-be-secure
        1. Enable the experiment
      4. Relaunch Chrome

      Scenario 1: Disallow sync XHR in page dismissal

      Scenario 1 alternative

      The following test must be run using Chrome, and at least one other browser (any will do)

      1. Create a SCORM activity using the same package from the behat test (RuntimeBasicCalls_SCORM20043rdEdition.zip).
      2. As a learner start an attempt and progress a couple of pages in. Note the title of the SCORM page you are on.
      3. Follow another link on the site, the navbar for instance. It must redirect the tab out of the SCORM activity.
      4. Navigate back to the course, and the SCORM activity and resume your attempt.
      5. You should be taken back to the last page that you were on.
      6. Progress one page and note the title
      7. Log out
      8. Log back in (this is to generate a new session cookie)
      9. Return to the SCORM activity, resume your attempt
        1. Confirm you get back to the last title

      Scenario 2: Cookies default to SameSite=(Empty) and reject insecure SameSite=None cookies

      This scenario should be executed in as many browsers and PHP versions as possible (IE, Chrome, Firefox, Safari and PHP 7.2, PHP 7.3).
      Note: Between each test make sure you close your browser completely or purge all history and state. You need it to dispose of the cookie completely in order for the test to be accurate. The samesite attribute is sticky.
      Alternatively you can make use of an Incognito/Private browsing window and make sure that it is fully closed between each test

      SameSite=None

      This set of tests will need to be run using the following versions of PHP:

      1. PHP 7.0 (3.5, 3.6)
      2. PHP 7.2 (3.7, 3.8, master)
      3. PHP 7.3 (3.7, 3.8, master)

      This test must be run against at the least the following browers:

      1. Chrome >= 68 with the experimental flags enabled
      2. Firefox
      3. IE
      4. Edge

      Therefore we have the following combinations:

      1. Moodle 3.5, PHP 7.0, Chrome
      2. Moodle 3.5, PHP 7.0, Firefox
      3. Moodle 3.5, PHP 7.0, IE
      4. Moodle 3.5, PHP 7.0, Edge
      5. Moodle 3.6, PHP 7.0, Chrome
      6. Moodle 3.6, PHP 7.0, Firefox
      7. Moodle 3.6, PHP 7.0, IE
      8. Moodle 3.6, PHP 7.0, Edge
      9. Moodle 3.7, PHP 7.2, Chrome
      10. Moodle 3.7, PHP 7.2, Firefox
      11. Moodle 3.7, PHP 7.2, IE
      12. Moodle 3.7, PHP 7.2, Edge
      13. Moodle 3.7, PHP 7.3, Chrome
      14. Moodle 3.7, PHP 7.3, Firefox
      15. Moodle 3.7, PHP 7.3, IE
      16. Moodle 3.7, PHP 7.3, Edge
      17. Moodle 3.8, PHP 7.2, Chrome
      18. Moodle 3.8, PHP 7.2, Firefox
      19. Moodle 3.8, PHP 7.2, IE
      20. Moodle 3.8, PHP 7.2, Edge
      21. Moodle 3.8, PHP 7.3, Chrome
      22. Moodle 3.8, PHP 7.3, Firefox
      23. Moodle 3.8, PHP 7.3, IE
      24. Moodle 3.8, PHP 7.3, Edge
      25. Moodle master, PHP 7.2, Chrome
      26. Moodle master, PHP 7.2, Firefox
      27. Moodle master, PHP 7.2, IE
      28. Moodle master, PHP 7.2, Edge
      29. Moodle master, PHP 7.3, Chrome
      30. Moodle master, PHP 7.3, Firefox
      31. Moodle master, PHP 7.3, IE
      32. Moodle master, PHP 7.3, Edge

      No SSL

      1. Visit your site directly (Do not use ngrok or https) - e.g. http://localhost/im
      2. Log in
      3. Open the developer tools (Usually F12)
      4. Locate the Cookie storage. In most browsers this is in somewhere like an "Application" or "Storage" tab in the developer tools
      5. Expand the "Cookies" section, and click on the hostname
        1. Confirm that you can see a "MoodleSession" cookie
        2. Confirm that the "Secure" column is false, or not ticked
        3. Confirm that the "SameSite" colum is Unset, or empty

      SSL

      1. Visit your site using ngrok - e.g. https://mysite.au.ngrok.io/im
      2. Log in
      3. Open the developer tools (Usually F12)
      4. Locate the Cookie storage. In most browsers this is in somewhere like an "Application" or "Storage" tab in the developer tools
      5. Expand the "Cookies" section, and click on the hostname
        1. Confirm that you can see a "MoodleSession" cookie
        2. Confirm that the "Secure" column is true, or ticked
      6. If you are using Chrome:
        1. Confirm that the "SameSite" colum is set to "None"
      7. If you are not using Chrome:
        1. Confirm that the "SameSite" colum is Unset, or empty

      Tidyup

      1. Open Chrome
      2. In the address bar visit chrome://flags
      3. Press "Reset all to default"
      4. Relaunch Chrome
      Show
      Testing requirements: Chrome (version >= 68) Firefox IE Edge PHP 7.0 PHP 7.2 PHP 7.3 Setup Open Chrome Visit chrome://flags/#same-site-by-default-cookies Enable the experiment Visit chrome://flags/#cookies-without-same-site-must-be-secure Enable the experiment Relaunch Chrome Scenario 1: Disallow sync XHR in page dismissal Scenario 1 alternative The following test must be run using Chrome, and at least one other browser (any will do) Create a SCORM activity using the same package from the behat test ( RuntimeBasicCalls_SCORM20043rdEdition.zip ). As a learner start an attempt and progress a couple of pages in. Note the title of the SCORM page you are on. Follow another link on the site, the navbar for instance. It must redirect the tab out of the SCORM activity. Navigate back to the course, and the SCORM activity and resume your attempt. You should be taken back to the last page that you were on. Progress one page and note the title Log out Log back in (this is to generate a new session cookie) Return to the SCORM activity, resume your attempt Confirm you get back to the last title Scenario 2: Cookies default to SameSite=(Empty) and reject insecure SameSite=None cookies This scenario should be executed in as many browsers and PHP versions as possible (IE, Chrome, Firefox, Safari and PHP 7.2, PHP 7.3). Note: Between each test make sure you close your browser completely or purge all history and state. You need it to dispose of the cookie completely in order for the test to be accurate. The samesite attribute is sticky. Alternatively you can make use of an Incognito/Private browsing window and make sure that it is fully closed between each test SameSite=None This set of tests will need to be run using the following versions of PHP: PHP 7.0 (3.5, 3.6) PHP 7.2 (3.7, 3.8, master) PHP 7.3 (3.7, 3.8, master) This test must be run against at the least the following browers: Chrome >= 68 with the experimental flags enabled Firefox IE Edge Therefore we have the following combinations: Moodle 3.5, PHP 7.0, Chrome Moodle 3.5, PHP 7.0, Firefox Moodle 3.5, PHP 7.0, IE Moodle 3.5, PHP 7.0, Edge Moodle 3.6, PHP 7.0, Chrome Moodle 3.6, PHP 7.0, Firefox Moodle 3.6, PHP 7.0, IE Moodle 3.6, PHP 7.0, Edge Moodle 3.7, PHP 7.2, Chrome Moodle 3.7, PHP 7.2, Firefox Moodle 3.7, PHP 7.2, IE Moodle 3.7, PHP 7.2, Edge Moodle 3.7, PHP 7.3, Chrome Moodle 3.7, PHP 7.3, Firefox Moodle 3.7, PHP 7.3, IE Moodle 3.7, PHP 7.3, Edge Moodle 3.8, PHP 7.2, Chrome Moodle 3.8, PHP 7.2, Firefox Moodle 3.8, PHP 7.2, IE Moodle 3.8, PHP 7.2, Edge Moodle 3.8, PHP 7.3, Chrome Moodle 3.8, PHP 7.3, Firefox Moodle 3.8, PHP 7.3, IE Moodle 3.8, PHP 7.3, Edge Moodle master, PHP 7.2, Chrome Moodle master, PHP 7.2, Firefox Moodle master, PHP 7.2, IE Moodle master, PHP 7.2, Edge Moodle master, PHP 7.3, Chrome Moodle master, PHP 7.3, Firefox Moodle master, PHP 7.3, IE Moodle master, PHP 7.3, Edge No SSL Visit your site directly (Do not use ngrok or https) - e.g. http://localhost/im Log in Open the developer tools (Usually F12) Locate the Cookie storage. In most browsers this is in somewhere like an "Application" or "Storage" tab in the developer tools Expand the "Cookies" section, and click on the hostname Confirm that you can see a "MoodleSession" cookie Confirm that the "Secure" column is false, or not ticked Confirm that the "SameSite" colum is Unset, or empty SSL Visit your site using ngrok - e.g. https://mysite.au.ngrok.io/im Log in Open the developer tools (Usually F12) Locate the Cookie storage. In most browsers this is in somewhere like an "Application" or "Storage" tab in the developer tools Expand the "Cookies" section, and click on the hostname Confirm that you can see a "MoodleSession" cookie Confirm that the "Secure" column is true, or ticked If you are using Chrome: Confirm that the "SameSite" colum is set to "None" If you are not using Chrome: Confirm that the "SameSite" colum is Unset, or empty Tidyup Open Chrome In the address bar visit chrome://flags Press "Reset all to default" Relaunch Chrome
    • Moppies Kanban

      Hi guys and girls,

      I couldn't find a ticket for this one, and while it has popped up in your forums I don't know that anyone has seen it.

      Quick grep of code doesn't reveal any introduction of the SameSite property.

      There are two changes coming in Chrome 80 that you may want to prep for (we certainly are)

      Disallow sync XHR in page dismissal

      It will no longer be possible to make synchronous XHR requests during page dismissal.
      No more synchronous XHR requests on beforeunload, unload, pagehide, and visibilitychange.
      The SCORM API makes use of synchronous XHR requests, and it is somewhat common for packages to attempt to save use progress when they leave the SCORM activity, in fact the example 2004 packages do this.
      Arguably it could be the SCORM authoring tools responsibility to ensure that it does not attempt to save progress on exit events. However the Moodle SCORM JS API is pretty basic and its an easy fix within Moodle.

      For those affected by the problem there are four workarounds, none of which are particularly good.

      • Every user of Chrome 78 or greater changes their browser settings to disable the "Forbid synchronous XHR requests in page dismissal" - navigate to chrome://flags/#allow-sync-xhr-in-page-dismissal - This may be a short term fix, I'm unclear on whether it will be removed with the AllowSyncXHRInPageDismissal policy flag noted below; it may well be.
      • Organisations using Enterprise policy controls can enable the AllowSyncXHRInPageDismissal flag. This is a short term fix as the flag is expected to be removed in Chrome 82 https://cloud.google.com/docs/chrome-enterprise/policies/?policy=AllowSyncXHRInPageDismissal
      • Register for a temporary opt-out, this is available on a site by site basis until October 2020. After that date the opt-out will not longer work. Every site has to register to get a token which must then be added to either the headers or page meta data. Instructions https://github.com/GoogleChrome/OriginTrials/blob/gh-pages/developer-guide.md.
      • They instruct their users not to just navigate away from the SCORM package as they may loose some of their progress. Not a solution, just a mitigation.

      There are several articles out there that are interesting reading in relation to this change:

      Cookies default to SameSite=Lax AND Reject insecure SameSite=None cookies

      This is a twofer, you'll want to be aware of both changes.

      The first is that the SameSite cookie property will begin to default to Lax.
      This by itself isn't terrible, we can expect Lax to cause a little havoc in the way people use the site, but it is explainable.
      There is a new value that was recently added to the list of accepted values, "None" which will return behavior to where it is presently.
      Beware with this one there are a few gotcha's out there.
      There is a bug in Safari (that appears to be bound to both the browser and the OS) wherein Lax will be treated as Strict.
      IE has some quirks when handling it also.
      After a lot of testing our approach was to detect Chrome 77 and start setting SameSite there. It's a stop gap solution, but works well given the inconsistent state of the property across browsers.
      Chrome was originally going to make this change in 78, but pulled out and shifted it back literally a week before release.
      In the future session management really could stand to be improved to more specifically control session start and cookie management - that would enable some really cool things to be done.

      The second ties into this.
      When SameSite is set to None Chrome is going start requiring secure cookies only.
      If set to None then sites will need to be running https.
      The mechanics are all in place already for this of course, and its been a recommendation for years, but flagging it up as we considered it relevant.

      Reading material:

        1. Screenshot_1.png
          425 kB
          Janelle Barcega
        2. Screenshot_2.png
          280 kB
          Janelle Barcega
        3. Screenshot_3.png
          273 kB
          Janelle Barcega

            Votes:
            15 Vote for this issue
            Watchers:
            55 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 days, 2 hours
                3d 2h

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.