Embedded Page Content not Loading External Tools (LTIs) in Canvas

Tags canvas LTI

Environment

Canvas

Chrome browser, version 80 or later in:

  • Windows, Mac OS, Linux, Android

Note: Chrome browser on iOS (iPhone, iPad) is not affected

Issue

In Canvas sites that embed content from other sites, that external content fails to load. Conditions where this is likely to occur include the use of external tools within Canvas (commonly called LTIs) and the use of links to websites that load content within a Canvas page. The problem may be due to recent changes in Chrome’s default security settings. 

Resolution

  • Confirm that the browser is configured with the new security settings.
    • In the affected Chrome browser, visit https://samesite-sandbox.glitch.me
    • If any rows end with “Invalid ?” or “Careful (with a flag icon)," the resolution below is not relevant and you should stop here.
  • If all six rows end with “Compliant ?” you may disable the enhanced security settings.
    • In the affected Chrome browser, visit “chrome://flags” (if clicking the link does not work, you may copy/paste it into Chrome's address bar)
    • In the “Search flags” field, type “samesite” with no spaces
    • Three “Experiments” should be displayed. Change the following two to “Disabled”
      • SameSite by default cookies
      • Cookies without SameSite must be secure
    • The third one, “Enable removing SameSite=None cookies”, can be left as is.
  • Please note this resolution will work only temporarily.
    • This resolution will likely be overridden each time Chrome updates in the future (typically, every six weeks).
    • Future versions of other browsers (Microsoft Edge, Firefox, etc) are also expected to implement the SameSite security settings, at which point they will also behave as Chrome does. 
    • Ideally, the maintainer/owner of each affected Canvas site should explore ways to include the desired content in a way that works with the new browser security settings.

Note: Other browsers (Microsoft Edge, Firefox, etc) are expected to implement these same default security settings in the near future, so site maintainers will be increasingly confronted with this issue if they do not change how their sites provide content from other sites.

Additional Information

Details

Article ID: 196
Created
Mon 4/20/20 8:07 AM
Modified
Thu 7/14/22 11:37 PM