-
Bug
-
Resolution: Fixed
-
Critical
-
3.8.9, 3.9.7, 3.10.4
-
MOODLE_310_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
-
MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE
-
MDL-71887-master -
When an LTI 1.3 integration with deep linking is launched, the set-cookie parameter has a warning reading "This Set-Cookie didn't specify a "SameSite" attribute and was defaulted to "SameSite=Lax," and was blocked because it came from a cross-site response which was not the response to a top-level navigation. The Set-Cookie had to have been set with "SameSite=None" to enable cross-site usage." Screenshot here.
In Chrome 80-90, SameSite by default cookies could be disabled at chrome://flags. Version 91 of Chrome removed that toggle, so there is no workflow to bypass this issue anymore.