Due to the default disabling of third-party cookies in WebKit, logging in via lti13 fails in an iframe. This can be hacked around by using Canvas-specific APIs that request to be opened in a new window for a consent page (user must click a button on the page). To detect this condition where we need to ask for storage access and handle it also requires rewriting the initiate handler so it performs its redirects via JavaScript. Overall this is pretty gross and I don't want to implement it until the interface for the messages we have to send to the parent window is standardized in the LTI spec.
Until such a time as it's standardized, I suggest that this library only be used for launches in new windows. Also, I'm not sure if we document the SameSite=none requirements for Yesod if you want to be iframe'd in any browsers (including Chrome and Firefox). Some docs changes should be made to reflect this.
Due to the default disabling of third-party cookies in WebKit, logging in via lti13 fails in an iframe. This can be hacked around by using Canvas-specific APIs that request to be opened in a new window for a consent page (user must click a button on the page). To detect this condition where we need to ask for storage access and handle it also requires rewriting the initiate handler so it performs its redirects via JavaScript. Overall this is pretty gross and I don't want to implement it until the interface for the messages we have to send to the parent window is standardized in the LTI spec.
Until such a time as it's standardized, I suggest that this library only be used for launches in new windows. Also, I'm not sure if we document the SameSite=none requirements for Yesod if you want to be iframe'd in any browsers (including Chrome and Firefox). Some docs changes should be made to reflect this.
See https://community.canvaslms.com/t5/Developers-Group/Safari-13-1-and-LTI-Integration/ba-p/273051 for details.
cc @gleachkr (filing this for tracking as discussed on the Carnap matrix)