Effects of third-party cookies in Canvas

On this page:

Changes to Chrome

In February 2020, Google released version 80 of its Chrome web browser, which changes the way third-party cookies are handled. By default, Chrome will block third-party cookies unless the embedded web application takes necessary steps to prevent the cookies from being blocked.

In Canvas, you may experience difficulties launching third-party tools from the course navigation menu, course modules, and elsewhere while UITS works with application providers to patch their software to comply with Chrome 80.

Note:
Do not alter your web browser's settings to force your browser to accept third-party cookies, as they can pose risks to privacy and/or security. UITS recommends that you leave your browser's default cookie settings in place.

If you suspect third-party cookies are causing an error

  • Try a different web browser: This is often the quickest troubleshooting step to try. If you have another browser (or two), try opening the problematic page in a different web browser to see if it functions properly.
  • Visit the embedded tool directly to establish "first party trust" with it: If you know the website URL for the embedded service that you suspect is failing due to a blocked third-party cookie, try visiting that website in its own browser tab. This may establish what's called "first party trust" with the external application, allowing the embedded application to then function properly in Canvas.
  • Contact the Support Center: Your campus Support Center may be able to help you troubleshoot the issue and determine if third-party cookies are in fact the problem.
  • Report the problem to your instructor: If you experience problems loading external tools in Canvas, alert your instructor. It may be possible to provide access to the external tool/resource in a way that does not involve third-party cookies.

Temporary fix for instructors

If a third-party tool is broken in your course site due to a third-party cookie issue, try this workaround:

  1. Create a new module in your course site called "Canvas Third-party Tools" or another name you choose. (If you aren't sure how to use Canvas Modules, see the Modules section of the Canvas Guides).
  2. In the new module, click + (Add Item) to add a new item to the module.
  3. From the Add drop-down menu in the "Add Item" window, select External Tool.
  4. Select the desired tool from the external tools list. Scroll to the bottom of the window and check Load in a new tab. Loading the tool in a new tab will circumvent the third-party cookies problem. If you wish, you can also change the display name of the tool by editing the Page Name.
  5. To finish adding the tool to the module, click Add Item.
  6. Repeat steps 1-5 for each problem tool.
  7. Publish the module and items. Your students will now be able to launch the tools from Canvas Modules.

If you receive an "Access Denied" message:

  1. Make sure you're running the most recent version of Chrome; to update your browser, see Update Google Chrome.
  2. In Chrome, visit chrome://flags.
  3. At the top of the page, in the "Show flags" box, type samesite.
  4. Next to "SameSite by default cookies", make sure the drop-down is set to Default.

More about cookies

How browsers use cookies

When a website needs to keep track of something about your interaction with the site (such as settings or preferences), it will often store a small text file called a cookie in your web browser's storage. Cookies allow websites to "remember" your settings in between browsing sessions, so that when you leave the site and come back later, the site will preserve your settings. This is a useful mechanism, and an extremely common part of how websites and web browsers work.

About third-party (or "cross-domain") cookies

Websites often embed external resources and experiences from other web materials served from another location on the web. Canvas, for example, may embed a learning tool inside a frame in the Canvas environment. These external web applications will sometimes need to store their own cookies. Since the external web application is being served from a different domain, or URL, than the one you see in the browser's URL bar, this cookie is considered to be third-party (or cross-domain).

Graphic displays non-matching domains

How browsers handle third-party cookies

Since third-party cookies operate in a different domain than the main website that you may be visiting, some web browsers may block these cookies in some circumstances, depending on how the external application's cookies have been structured. Depending on how the third-party application is programmed, it may not function as expected, or it may fail to function entirely (with or without an error message). In short, the way an application behaves when the web browser blocks third-party cookies depends on the application's programming, and may vary.

This is document bdnr in the Knowledge Base.
Last modified on 2021-09-20 16:24:42.