Google Chrome is rolling out an update that changes how cookies are handled. This will be the default setting from this week onwards.

The ‘SameSite’ update requires websites to explicitly label the third-party cookies that can be used. Any cookies without correct labelling won’t work in the Chrome browser.

Chrome will be updated across all university computers but until cookie settings are updated the workaround will be to use another browser e.g. Firefox or Safari

Canvas Impacts

Instructure (Canvas) and other vendors have already updated their applications to be compatible with the new Chrome settings. However if you find an LTI is not working please try in Firefox or Safari and contact the vendor.

We have tested the following University of Auckland Canvas applications and identified fixes to be applied which will be released this month.

Tool Status Workaround until fixed
Final Grades Tool Update required Use Firefox or Safari
UoA Toolbox Update required Use Firefox or Safari
Lecture Recordings Update required Use Firefox or Safari
Course Roster Update required Use Firefox or Safari
Assignment Coversheet Update required Use Firefox or Safari
Booklet Generation Update required Use Firefox or Safari
SET Evaluation No update required N/A
Digital Course Outline No update required N/A

More information about the changes

Why is Google making this update?
Third-party cookies can make people vulnerable to malicious tracking and data leakage. They can also make them susceptible to what are known as cross-site request forgery attacks. E.g. a user might click on a link in an email that allows someone else to log into their banking website.

What is the change?
Google announced in May last year that in Chrome version 80 and beyond, cookies that do not include the “SameSite=None” and “Secure” labels won’t be accessible by third parties, such as ad tech companies.

Right now, the Chrome SameSite cookie default is: “None,” which allows third-party cookies to track users across sites. From February, cookies will default into “SameSite=Lax,” which means cookies are only set when the domain in the URL of the browser matches the domain of the cookie — a first-party cookie.

Any cookie with the “SameSite=None” label must also have a secure flag, meaning it will only be created and sent through requests made over HTTPs. Meanwhile, the “SameSite=Strict” designation restricts cross-site sharing altogether, even between different domains that are owned by the same publisher.

Read more on the Chromium blog: