Add SameSite=none
value to WordPress cookies for LTI launches
#1919
Labels
Medium - 5
Planning Poker T-Shirt Size
security
Pull requests that address a security vulnerability
upstream
issue that needs an upstream fix
When users launch Pressbooks within their LMS via LTI, they load the page securely via iFrame inside another application (the LMS). Chrome has recently tightened their policies around SameSite cookies, and require a SameSite=None and Secure values in order for these pages to display properly. Chrome's default value is "lax" rather than "strict" or "none". WordPress does not natively allow it's authentication cookies to be filtered with SameSite values. There's a WP ticket that talks about support for SameSite attributes in PHP 7.3 and discusses the possible use of a plugin and edits to the
wpconfig.php
file: https://core.trac.wordpress.org/ticket/37000#comment:26. Another plugin https://github.com/MikhailRoot/samesite-cookie-manager/blob/master/samesite-cookie-manager.php may be similarly promising. We should investigate further to see if we can do this safely and responsibly for networks which use our LTI plugin.The text was updated successfully, but these errors were encountered: