Skip to content

Commit

Permalink
Fix cookie samesite issue for LTI 1.3 deep linking
Browse files Browse the repository at this point in the history 
LTI 1.3 deep linking don't seem to be working properly in latest Chrome. This is because SameSite cookie property is not set properly.

See
instructure#1900
  • Loading branch information
@jbergfi
jbergfi authored Sep 19, 2022
1 parent 6310840 commit dde2726
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 3 deletions.
2 changes: 1 addition & 1 deletion gems/canvas_breach_mitigation/lib/canvas_breach_mitigation/masking_secrets.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ def masked_authenticity_token(cookies, options = {})
encoded_masked_token = masked_token(unmasked_token(cookies["_csrf_token"]))

cookie = { value: encoded_masked_token }
%i[domain httponly secure].each do |key|
%i[domain httponly secure same_site].each do |key|
next unless options.key?(key)

cookie[key] = options[key]
Expand Down
3 changes: 2 additions & 1 deletion gems/request_context/lib/request_context/session.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,8 @@ def call(env)
ActionDispatch::Request.new(env).cookie_jar[:log_session_id] = {
value: session_id,
secure: Rails.application.config.session_options[:secure],
httponly: true
httponly: true,
same_site: Rails.application.config.session_options[:same_site]
}
end

Expand Down
2 changes: 1 addition & 1 deletion lib/canvas/request_forgery_protection.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ def verified_request?

def authenticity_token_options
session_options = CanvasRails::Application.config.session_options
options = session_options.slice(:domain, :secure)
options = session_options.slice(:domain, :secure, :same_site)
options[:httponly] = HostUrl.is_file_host?(request.host_with_port)
options
end
Expand Down

0 comments on commit dde2726

Please sign in to comment.