Looking for other third-party SPs that fail with stricter SameSite settings

Brent Putman putmanb at georgetown.edu
Thu Feb 6 19:15:14 EST 2020

On 2/6/20 6:50 PM, Cantor, Scott wrote:
> Yes, that's certainly odd. Any evidence they're only setting SameSite for Chrome? I didn't trace it to check.

I thought you were onto something with that.  SameSite is not being set
for FF.  But then I looked and it's (now) not being set for Chrome
either.  I could have *sworn* in my earlier tests it was being set to
None for their main 'canvas_session' cookie.  But it's not now for me. 
To confuse matters further, it still works in Chrome with the flags set
and the lack of a SameSite (!!!!!).  I tried 3 times, clearing state and
restarting, trying to eliminate user error.  Maybe I am doing something
wrong.  Or maybe the Canvas infrastructure is not consistently updated
in the AWS environment, and it's depending on which random node I'm
hitting, or something.  I'll try again later.

Anyway... I'm extremely confused now.  Is there an emoji for pulling
one's hair out?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200206/d73c5a98/attachment.html>

More information about the users mailing list