Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72022

LTI App State Store through Windows Post Message (Cookie shim)

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE

      Description

      Safari, and possibly other browsers in the near future, seriously restricts support of 3rd party cookie (samesite None). This prevents LTI applications relying on cookies to function as embedded apps in Moodle. At best they can instrument themselves to detect those cookies cannot be set and trigger countermeasures, from just asking to pop out in a new window, or triggering the rather instrusive Safari storage grant flow.

      As an alternative, Moodle will propose to act as a store to the embedded IFrame, allowing the IFrame to store key/value in the parent window so they may be retrieved at any time within the IFrame. For example, an application may store its session identifier that way and retrieve it through Javascript when navigating between pages.

      The proposal is based on windows.postMessage between the moodle parent window and the LTI IFrame as windows.postMessage is meant to allow cross domain communication. The implementation will enforce origin matching to prevent a tool from querying the stored data from another tool.

      See POC (needs to be touched a bit to use closure to hide the store from any other JS on the page): https://github.com/cengage/moodle/commit/a50938e8003c727f1cacb856ece52bc1cd1f1c66

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            claudevervoort Claude Vervoort
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: