Canvas - Embedded Content and Third-party Cookies [UW-Madison]
Google Chrome uses a secure-by-default model for browser cookies for the purpose of improving privacy and security. In macOS, Safari 13.1 or later disables cross-site tracking by default. These functions may cause certain embedded content within Canvas, and other websites and applications, to stop working.
How does this affect me?
This may affect sites, such as Canvas, that use embedded third-party content. Third-party content will be blocked from being displayed if the cookies are not appropriately configured. Examples of third-party content in Canvas include embedded Pressbooks chapters with H5P content, Instructure’s own Attendance/Roll Call tool, Box, and other integrated external tools such as publisher content like McGraw-Hill Connect. This content will be blocked from being displayed if the cookies are not appropriately configured.
How do I know if I'm affected?
You are affected if the content you expected to see is not displayed, if you see an error message in lieu of expected content from an external tool, or if you are prompted repeatedly to log in even though you have provided the correct username and password.
Example of third-party content (Box) not displaying correctly in Canvas when browser cookie settings are set to secure-by-default.
What can I do about it?
As a student or content consumer, you have three options to view the content:
Open the content in its own new window.
Some applications or websites may provide an error message that includes a link to open the content in a new window. Try clicking the link if it is available.
Use a different browser.
Some applications or websites do not provide an error message, or authentication fails repeatedly. If you are using one of these tools, and you don’t have an easy way to open the content in a new browser window, then you can use a different browser, like Firefox. When this document was written, Firefox has not enforced the secure-by-default model for browser cookie settings.
Allow blocked cookies for the site in Chrome.
On a site which is blocking cookies, you can manually allow blocked cookies by:
- Click on the cookie icon on the right side of the address bar (next to the Bookmark Star button).
- Click Show cookies and other site data...
- Click the Blocked tab to show the blocked cookies.
- Click the Allow button in the bottom of the “Cookies in use” window.
- Clicking on the blue Done button in the bottom right.
Chrome will ask you to reload the page, and then the missing content should appear.
As a content creator or instructor, it helps if you provide an option to view third-party content in a new window. In a Canvas course site, instructors and TAs can select the Load in a new tab check-box when they add external URLs or external tools to a module or when adding an external tool assignment. We recommend this approach to reduce the amount of troubleshooting and student questions, especially given that other browsers have announced plans to adopt the same approach as Chrome.
Select the Load in a new tab check-box when adding External URLs or External Tools to Canvas Modules.
In Safari, Disable cross-site protection
If using Safari 13.1 or later, disable cross site protection. Follow these steps to locate the Prevent cross-site tracking checkbox, and uncheck it.
Known issues and suggested solutions
Learn@UW-Madison has tested many of the tools integrated with Canvas that are available to all courses. As of February 4, 2020, Learn@UW-Madison has found the following tools still have issues, and their vendors still need to update their tools in order for their content to display correctly when secure-by-default cookie settings are in place:
| Tool / Integration | Issue | Recommendation |
|---|---|---|
| Box | If an instructor has enabled the Box tool in the course navigation, and you click on it, it will ask you to authorize and display the error: Page Error - The page you were viewing has expired. Please go back and try your request again. OR Invalid Login Credentials |
Load and login to Box in a new window or tab, return to Canvas and reload the page, or use Firefox for now. |
| Honorlock | Student will receive the following message after clicking the Honorlock link in their course: Your Integration with Honorlock has encountered an issue. Please review below or contact Honorlock support for further assistance. | Allow blocked cookies. |
| Kaltura MediaSpace | Instead of displaying embedded Kaltura MediaSpace media, a "Browser Cookies Issue" error message displays instead. |
Allow blocked cookies, or use Firefox for now. More info is in the KB doc on the Kaltura third party cookie issue. |
| McGraw-Hill Connect | Connect displays the error: Error: Sorry, error happened: Session is expired or invalid {trackingId=XXXXXXXXXXX, key=launchContext} |
Follow the instructions provided by McGraw-Hill support. Contact McGraw-Hill support if the error message does not resolve. |
| Microsoft Office 365 | If the instructor launches the Canvas rich content editor, clicks the More External Tools button, and selects Office 365, a blank window is displayed rather than the list of Office 365 files. Students can still click on links to Office 365 files which will open in a new window. | Allow blocked cookies, or use Firefox for now. |
| Pressbooks with H5P activities | H5P questions will not load unless you enable third party cookies. | Allow blocked cookies, or use Firefox for now. Course creators can link out to Pressbooks materials rather than embedding directly in Canvas. |
| SCORM modules | If your SCORM module contains all the content to be displayed, it should display ok. If your SCORM module has vended SCORM content (SANS, EverFi, etc.) then you should test them both for loading and completion reporting. | Allow blocked cookies, or use Firefox for now. |