Skip to main content

Chrome 80: Blocked content in Canvas

 

In a nutshell

  • Google Chrome updates security/cookie settings
  • Change goes into effect Monday, February 17th, 2020
  • The change will block some third-party cookies
  • In the case of Canvas, affected third-party content includes:
    • iClicker Remote Registration page
      • iClicker software and remotes will continue to function
    • Zoom
    • Publisher content, eg:
      • McGraw-Hill
      • Pearson
  • If you are a Chrome user and run into issues, please use another browser, like Firefox

For a detailed explanation, continue reading below.

Background

Google released a Chrome update that promises, among other things, a more secure browsing experience. The improved security is in large part due to Chrome's new approach to cookies' SameSite attributes. The change will block third-party cookies that are not properly configured by the third-party's web developers. In the case of Canvas, examples of affected third-party content includes the iClicker Remote Registration page and Zoom Conference Scheduling page. If you are a Chrome user and run into issues when trying to access this content, please use another browser, like Firefox, for the time being.

What are cookies?

You might have seen pop-up messages from websites asking you to agree to the use of cookies on their websites. A cookie is a small piece of information sent from a website and stored on a user’s computer by the user’s web browser.  Some cookies are essential to the functioning of a website, for example, those tracking whether users are logged in, and those recording items in an online shopping cart; others are used to collect and analyze information on site performance and usage, to remember user preferences, and to customize content and advertisements. There are some cookies that pose security concerns because they make it easier for unidentified parties to track user behavior on the web.

What are the upcoming Chrome security changes?

On February 17, 2020, Chrome plans to enforce a new cookies model to provide protection against network attacks in its version 80 browser. Under this new model, HTTP cookies must either:

  1. Originate from and be used only for the website domain in the user’s address bar, or
  2. Be marked as accessible via a secure communication channel if they were to be used for a website domain different from the one in the user’s address bar. 

This model also requires web developers to properly attribute which kind of cookies they are using. Other browsers have announced plans to adopt the same approach as Chrome, although the timeline for their changes has not been made public.

How does this affect me?

The changes in default cookies settings may affect any webpage that uses third-party content. Examples of third-party content include iClicker Remote Registration, the Zoom Conference Scheduler integration, and possibly other integrated external tools such as publisher content.  This content will be blocked from being displayed if the cookies are not appropriately configured.

You are affected if:

  • The content you expected to see is not displayed
  • You see an error message, or
  • You are prompted repeatedly to log in even though you have provided the correct username and password

Firefox vs Chrome comparison of iClickers Remote Registration pageExample of third-party content (iClicker Remote Registration) not displaying correctly in Chrome 80 when secure-by-default browser cookies settings are in place.

What can I do about it?

As a content consumer, you have two options to view the content:

  1. Open the content in its own new window.
    Some vendors may provide an error message that includes a link to open the content in a new window.
    "Open in a new window" prompt when trying to use Zoom in Canvas
  2. Use a different browser.
    Some vendors do not provide an error message or authentication fails repeatedly. If you are using one of these tools, and you don’t have an easy way to open the content in a new browser window, then your only option is to use a different browser. At the time of writing, Firefox has not enforced the secure-by-default model for browser cookies settings.

Recommendations for Course Content Creators (ie, Instructors, TAs, Course Designers)

As content creators, instructors, TAs, and course designers, should provide an option to view third-party content. In a Canvas course site, instructors and TAs can select the “Load in a new tab” option when they add External URLs or External Tools to a Module, or when adding an External Tool Assignment. We strongly recommend this approach to reduce the amount of troubleshooting and student questions, especially given that other browsers have announced plans to adopt the same approach as Chrome.

Load in New Tab option for URLs in Canvas

Select the Load in a new tab option when adding External URLs or External Tools to Canvas Modules.

 

Load this tool in a new tab option when using third-party tools

Select the Load This Tool In A New Tab option in External Tool Canvas Assignments.

Known problems and suggested solutions

The EdTech Support (ETS) office has tested the integrated learning tools connected to Canvas available to all courses. As of February 10th, 2020, ETS has found that the following vendors still need to update their tools in order for their content to display correctly when secure-by-default browser cookie settings are in place:

Tool/Integration Problem Recommendation 
iClicker Users cannot register their iClicker remotes. Use a different browser.
Zoom Users are not automatically logged in within Canvas. Click link in the error message to open new window; or use a different browser. Follow the instructions on the screen if you are asked to log in again.

 If you find any other third-party tools that are not working as expected, please report the issue by emailing canvas@ucsd.edu.

Should I update my browser?

Yes, and according to WhatIsMyBrowser.com here's why:

Get the most out of the internet

Websites and cloud services, like Canvas, take advantage of new features that modern web browsers provide, such as:

  • HTML5 video and audio
  • Advanced JavaScript and CSS styling

If you're running something that's very out of date, you probably won't be able to use some or all of the features of the sites you visit.

Stay safe and secure

If you run a web browser that is out of date and which contains security vulnerabilities, you risk having your computer compromised by criminals. Depending on the security exploit, your personal information (including emails, banking details, online sales, photos and other sensitive information) could be stolen or destroyed. This is not a hypothetical occurrence; it happens regularly and in large volumes.

If your computer's security is compromised, you also run the risk of being used as a "middle man" in online crime by sending out thousands of spam emails; or as an unwitting pawn in large scale attacks against UC San Diego and other internet users – all without you even being aware.

References

The content on this page was adapted from the University of Chicago's Academic Technology Solutions support site.

Author: Cecilia Lo (University of Chicago)
Adapted by: Ed Ruiz (UC San Diego)