-
New Feature
-
Resolution: Unresolved
-
Major
-
None
-
3.9.7, 3.10.4, 3.11, 4.0
-
MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
Safari, and possibly other browsers in the near future, seriously restricts support of 3rd party cookie (samesite None). This prevents LTI applications relying on cookies to function as embedded apps in Moodle. At best they can instrument themselves to detect those cookies cannot be set and trigger countermeasures, from just asking to pop out in a new window, or triggering the rather instrusive Safari storage grant flow.
As an alternative, Moodle will propose to act as a store to the embedded IFrame, allowing the IFrame to store key/value in the parent window so they may be retrieved at any time within the IFrame. For example, an application may store its session identifier that way and retrieve it through Javascript when navigating between pages.
The proposal is based on windows.postMessage between the moodle parent window and the LTI IFrame as windows.postMessage is meant to allow cross domain communication. The implementation will enforce origin matching to prevent a tool from querying the stored data from another tool.
See POC (needs to be touched a bit to use closure to hide the store from any other JS on the page): https://github.com/cengage/moodle/commit/a50938e8003c727f1cacb856ece52bc1cd1f1c66
- is duplicated by
-
MDL-83536 Cannot launch LTI 1.3 in frame because of third-party cookie block
- Closed