Closed kstarzecki closed 1 year ago
dbuechel
commented
3 years ago You are correct, there are no cookie-specific settings in SEB at the moment, only the setting related to clearing the cache / deleting the cookies at the start and end of a session. So you'd need to specify exactly what you would need, but I must advert you that we currently already have a full backlog of planned features. Did you verify that your web application works in Chrome / Chromium?
kstarzecki
commented
3 years ago Yes, it does (for example MS Edge with Balanced Tracking Prevention under Privacy). We don't necessarily need a UI, just an endpoint in config to adjust the settings would be enough.
I guess it boils down to being able to choose between:
(I'm not sure if you have some other privacy features enabled by default)
I'd like to add that a lot of LTI's that are not embedded into the LMS in some way rely on 3rd party cookies for authentication. So, if an institution relies on such LTI to deliver examination, they might be in a similar situation as us.
kurniawano
commented
2 years ago I have a similar issue with my LTI. So now SEB Windows does not work with my LTI but SEB Mac still works fine. Is there a simple way to resolve this for the short term?
dbuechel
commented
2 years ago We unfortunately won't be able to invest time in this issue in the foreseeable future, so I'm afraid there is no way at the moment unless someone would be able to come up with a pull request or a work around.
danschlet
commented
2 years ago @dbuechel check this page out please: https://ourcodeworld.com/articles/read/1450/how-to-disable-the-samesite-cookies-policy-in-cefsharp-winforms-c-sharp
For me it looks like setting the mentioned flag should solve this issue: settings.CefCommandLineArgs["disable-features"] += ",SameSiteByDefaultCookies";
If this is possible in your implementation with CefSharp, we should add a new SEB setting allowThirdPartyCookies (with default false). When allowThirdPartyCookies = true, the above mentioned flag would need to be set.
dbuechel
commented
2 years ago Yes, I think that should be possible. Users should be aware however that this will potentially compromise their security (CSRF), but I guess for an exam scenario the risks should be minimal.
jeroenhabets
commented
2 years ago @kstarzecki what version of LTI are you using? The deprecated 1.1 or the current 1.3 aka LTI Advantage?
dbuechel
commented
1 year ago Okay, it turns out that this flag has been completely removed starting with version 94: https://www.chromium.org/updates/same-site/. Thus, we unfortunately won't be able to implement this feature request.
In our institution we're using two LTI's that are often used for examination. With version 2.x we had no issues with cookies.
This year we decided to test version 3.x and the LTI's do not load. (we get a '3rd party cookies need to be enabled' sort of error for embedded content or 403 when credentials are not passed between browser windows).
As far as I can tell there are no presets in regards to cookies. Is it reasonable to request addition of Cookies / Privacy presets?