Add SameSite=none value to WordPress cookies for LTI launches
#1919
Assignees
Labels
Medium - 5
Planning Poker T-Shirt Size
security
Pull requests that address a security vulnerability
upstream
issue that needs an upstream fix
Comments
SteelWagstaff
added
security
|
It was done here: https://github.com/pressbooks/pressbooks-lti-provider-1p3/pull/24 and here: pressbooks/pressbooks-lti-provider#74 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When users launch Pressbooks within their LMS via LTI, they load the page securely via iFrame inside another application (the LMS). Chrome has recently tightened their policies around SameSite cookies, and require a SameSite=None and Secure values in order for these pages to display properly. Chrome's default value is "lax" rather than "strict" or "none". WordPress does not natively allow it's authentication cookies to be filtered with SameSite values. There's a WP ticket that talks about support for SameSite attributes in PHP 7.3 and discusses the possible use of a plugin and edits to the
wpconfig.phpfile: https://core.trac.wordpress.org/ticket/37000#comment:26. Another plugin https://github.com/MikhailRoot/samesite-cookie-manager/blob/master/samesite-cookie-manager.php may be similarly promising. We should investigate further to see if we can do this safely and responsibly for networks which use our LTI plugin.The text was updated successfully, but these errors were encountered: