Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71887

Auth call defaults to SameSite=Lax and blocks deep link launch

    XMLWordPrintable

Details

    • MOODLE_310_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
    • MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE
    • MDL-71887-311
    • MDL-71887-master
    • Hide

      In this test, we're going to verify select content and LTI Advantage launches are working properly across browsers. Some browsers are enforcing rules on cookies that may cause the cookie to not be visible when returning the content selection to moodle (or issuing the LTI advantage flow). This causes Moodle to prompt the user for login.

      The test should be run across browsers (see matrix below) with an LTI Adv tool and an LTI 1.1 tool that also supports content item selection request. Other tools may be used that the one proposed here:

      pre-requisite

      1. LTI Advantage requires your site to be reachable from the internet. If not, Install ngrok to expose your moodle setup externally. Refer here for additional guidelines
      2. Have a course with an instructor.
      3. As admin install the LTI Robotest test app
        1. using the instructions found at https://robotest.theedtech.dev
        2. use the dynamic registration option if avail on the release of moodle (3.10 and above).
      4. As admin install ZTest LTI 1.1 tool
        1. https://ztest.cengage.info/ztest see LTI 1.1 Connect Info for URL key and secret
        2. Enable Content Item Message (deep linking)

       Content Selector Test - LTI Adv

      1. Enter a course as instructor
      2. Turn editing on
      3. Add external activity, choose Robotest app
      4. Wait 2 minutes or more
      5. Click Select Content and Select one item (graded or not, does not matter)
      6. Save and Return to Course
      7. Verify successful return

       Content Selector Test - LTI 1.1

      1. Enter a course as instructor
      2. Turn editing on
      3. Add external activity, choose Ztest app
      4. Wait 2 minutes or more
      5. Click the hamburger menu, select content item and submit
      6. Save and Return to Course
      7. Verify successful return

      Tests done using current latest version of browsers on PC/Mac (should we consider mobile browsers?)

      Inc is incognito mode

      Firefox LAX is forcing the LAX on empty same site: in Firefox: about:config, lookup for LAX, enable network.cookie.sameSite.laxByDefault and set 1 for network.cookie.sameSite.laxPlusPOST.timeout.

      Firefox LAX mimics the case where Moodle is also not setting the samesite to None on Chrome.

      Without Fix (unpatched version of Moodle)

      Action Chrome Chrome Inc. Firefox Firefox Inc. Firefox LAX Safari Safari Inc.
      LTI 1.3 Launch Select      OK      FAIL  
      LTI 1.3 Content Return              
      LTI 1.1 Launch              
      LTI 1.1 Return              

      With Fix:

      Action Chrome Chrome Inc. Firefox Firefox Inc. Firefox LAX Safari Safari Inc.
      LTI 1.3 Launch Select              
      LTI 1.3 Content Return              
      LTI 1.1 Launch              
      LTI 1.1 Return              
      Show
      In this test, we're going to verify select content and LTI Advantage launches are working properly across browsers. Some browsers are enforcing rules on cookies that may cause the cookie to not be visible when returning the content selection to moodle (or issuing the LTI advantage flow). This causes Moodle to prompt the user for login. The test should be run across browsers (see matrix below) with an LTI Adv tool and an LTI 1.1 tool that also supports content item selection request. Other tools may be used that the one proposed here: pre-requisite LTI Advantage requires your site to be reachable from the internet. If not, Install ngrok to expose your moodle setup externally. Refer here for additional guidelines Have a course with an instructor. As admin install the LTI Robotest test app using the instructions found at https://robotest.theedtech.dev use the dynamic registration option if avail on the release of moodle (3.10 and above). As admin install ZTest LTI 1.1 tool https://ztest.cengage.info/ztest see LTI 1.1 Connect Info for URL key and secret Enable Content Item Message (deep linking)  Content Selector Test - LTI Adv Enter a course as instructor Turn editing on Add external activity, choose Robotest app Wait 2 minutes or more Click Select Content and Select one item (graded or not, does not matter) Save and Return to Course Verify successful return  Content Selector Test - LTI 1.1 Enter a course as instructor Turn editing on Add external activity, choose Ztest app Wait 2 minutes or more Click the hamburger menu, select content item and submit Save and Return to Course Verify successful return Tests done using current latest version of browsers on PC/Mac (should we consider mobile browsers?) Inc is incognito mode Firefox LAX is forcing the LAX on empty same site: in Firefox: about:config, lookup for LAX, enable network.cookie.sameSite.laxByDefault and set 1 for network.cookie.sameSite.laxPlusPOST.timeout. Firefox LAX mimics the case where Moodle is also not setting the samesite to None on Chrome. Without Fix (unpatched version of Moodle) Action Chrome Chrome Inc. Firefox Firefox Inc. Firefox LAX Safari Safari Inc. LTI 1.3 Launch Select       OK       FAIL   LTI 1.3 Content Return               LTI 1.1 Launch               LTI 1.1 Return               With Fix: Action Chrome Chrome Inc. Firefox Firefox Inc. Firefox LAX Safari Safari Inc. LTI 1.3 Launch Select               LTI 1.3 Content Return               LTI 1.1 Launch               LTI 1.1 Return              

    Description

      When an LTI 1.3 integration with deep linking is launched, the set-cookie parameter has a warning reading "This Set-Cookie didn't specify a "SameSite" attribute and was defaulted to "SameSite=Lax," and was blocked because it came from a cross-site response which was not the response to a top-level navigation. The Set-Cookie had to have been set with "SameSite=None" to enable cross-site usage."  Screenshot here.

      In Chrome 80-90, SameSite by default cookies could be disabled at chrome://flags.  Version 91 of Chrome removed that toggle, so there is no workflow to bypass this issue anymore.

      Attachments

        Issue Links

          Activity

            People

              claudevervoort Claude Vervoort
              sadie_vt Sadie Anderson
              Jake Dallimore Jake Dallimore
              Adrian Greeve Adrian Greeve
              Jake Dallimore Jake Dallimore
              Ilya Tregubov, Kevin Percy, Mathew May, Mihail Geshoski, Shamim Rezaie
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                12/Jul/21

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 1 hour, 30 minutes
                  1d 1h 30m