Affects Version/s: None
--- we implemented SameSite cookie which broke all ContentItem Callbacks whether it is strict or lax. This JIRA will make it so that ContentItem works when SameSite cookie is set. I Investigated several solutions: KNL-1584
- I initially thought that I could move the code that responds to the POST from the LTI Admin tool to a servlet - but since the POST is coming from the browser - this is not a solution.
- My next investigation is setting SameSite to LAX when I launch the external tool and setting it back to strict when I return from the launch
Here is an option that at this point I am discarding for the moment - I include this so you understand its flaws
- Teach Tsugi to do the POST server to server, receive the redirect and then go to the redirect. This is bad for several reasons (1) non-Tsugi ContentItem sources will fail unless they take this approach and (2) Not every LMS sends a redirect after it gets the POST - at one point Canvas handled this response in the browser and there was no redirect. So it is not likely that a Tsugi server-to-server approach could be made to work reliably for all LMSs.
Please comment below as I work through the various options.