WeBWorK Main Forum

Browser Chrome 80 upgrade carries a warning for canvas LTI users?

Browser Chrome 80 upgrade carries a warning for canvas LTI users?

by tim Payer -
Number of replies: 10
Greetings,

Our college, and most of the CSU system will soon (in February) be upgrading their browsers on all campus computers: Chrome to chrome 80, Mozilla (Firefox) and Microsoft. There is a curious note in this upcoming upgrade that LMS Canvas users may have an issue with their third party LTI connections.

Here is the link prompting the concern:

Is this something we should be preparing for in regard to our LTI files that link Canvas and Webwork?

Please let us know if we need to make changes before any problems occur.

Thanks so much in advance, Tim




In reply to tim Payer

Re: Browser Chrome 80 upgrade carries a warning for canvas LTI users?

by Nathan Wallach -
Tim - Thanks for bring this up.

I'm not sure, but I suspect that LTI to a new window will not be effected, but that LTI to an iFrame (in-page use) will probably be effected.

My analysis and some thoughts on what may need to be changed is in the GitHub issue I just created: https://github.com/openwebwork/webwork2/issues/1072


In reply to Nathan Wallach

Re: Browser Chrome 80 upgrade carries a warning for canvas LTI users?

by tim Payer -
Thanks Nathan,

We will know next week whether the Canvas-LTI link is an issue once the upgraded browsers are in place.

Thanks, Tim
In reply to tim Payer

Re: Browser Chrome 80 upgrade carries a warning for canvas LTI users?

by Paul Vojta -
Any news on this? Here's an error message that I got today that seems to reflect the problem. Will switching it to a new window instead of iFrame fix it?

Warning messages

Error messages

Internal apreq error

Call stack

The information below can help locate the source of the problem.



in Apache2::Request::upload called at line 252 of /opt/webwork/webwork2/lib/WeBWorK.pm

Request information

Method POST

URI /webwork2/Math-53-Sp20-Wood/WW2-13/1/

HTTP Headers

Content-Length 2806

Accept-Encoding gzip, deflate, br

Cookie _ga=GA1.2.950856106.1561409374; visid_incap_496857=7J4bXMTXRMuZDEh+HIgjhfg38F0AAAAAQUIPAAAAAAA6xgTGbOjvqAugD+cZVqtB; _fbp=fb.1.1576048451573.1349818864; _gid=GA1.2.606563127.1581497703; _gat=1

Upgrade-Insecure-Requests 1

Host webwork.math.berkeley.edu

Cache-Control max-age=0

Content-Type multipart/form-data; boundary=----WebKitFormBoundaryN8IrWYVtfQ6mLnbB

Connection keep-alive

Sec-Fetch-Dest iframe

User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36

Sec-Fetch-Site same-origin

Origin https://webwork.math.berkeley.edu

Referer https://webwork.math.berkeley.edu/webwork2/Math-53-Sp20-Wood/WW2-13/1/?user=xxxxxx&effectiveUser=xxxxxx&key=yyyyyyyyyyyyyyyy

Accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Mode navigate

Sec-Fetch-User ?1

Accept-Language en-US,en;q=0.9
In reply to Paul Vojta

Re: Browser Chrome 80 upgrade carries a warning for canvas LTI users?

by Michael Gage -
Hi Paul,

Which server is canvas running on? One at Berkeley? and which server
is webwork running on? courses1.webwork.maa.org at MAA or some other
webwork server (perhaps at Berkeley)

Take care,

Mike

oh. And what version of webwork is being used?

my first guess is that switching it to a new window won't solve this -- you need to allow cross-site references. But see Nathan Wallach's post -- he probably has more insight into this.
In reply to Michael Gage

Re: Browser Chrome 80 upgrade carries a warning for canvas LTI users?

by Paul Vojta -
Canvas is running on a server at bcourses.berkeley.edu (located on amazonaws.com). Webwork is 2.14 as I recall, last updated Jan. 2019.
But, I'm having second thoughts about this being the same-site problem. First of all, we aren't getting a sudden torrent of errors, and secondly we haven't seen any warnings from Chromium versions 79.xxx that one would have expected.
So, at this time, I'm watching the error logs but not doing much else.
Paul
In reply to Paul Vojta

Re: Browser Chrome 80 upgrade carries a warning for canvas LTI users?

by Nathan Wallach -
I'm looking into a different report about "Internal apreq error" in "Apache2::Request::upload" due to a complaint received from a student and found 2 forum chains.
The first chain reports that it was fixed by the ISP which was blocking some of the communication and once the stopped the blocking the problem disappeared.

However, I suspect that in most cases the problem is probably pretty rare and intermittent and caused by network latency issues which occur more or less at random, as there do not seem to be frequent reports of such issues anywhere.

Based on the log records discussed below - most such errors seem to be caused by network timeouts. 

I found a small number of such error messages in the Apache error.log and every one seen in the several months (the log file I have) is preceded by a line reporting "ap_get_brigade failed during prefetch".

[Log records edited to hide IP address details and full course paths]

Most of the  log records (over 85%) are for a timeout, ex:
  • [Fri Jan 24 11:38:39.242984 2020] [:error] [pid 319] (70007)The timeout specified has expired: [client ip_address:port] ap_get_brigade failed during prefetch, referer: https://webwork.technion.ac.il/webwork2/courseID/...

But two other formats were seen:
  • [Thu Jan 30 18:47:22.658777 2020] [:error] [pid 3517] (70008)Partial results are valid but processing is incomplete: [client ip_address:port] ap_get_brigade failed during prefetch, referer: https://webwork.technion.ac.il/webwork2/html2xml
  • [Sat Feb 08 12:49:49.159787 2020] [:error] [pid 2582] (104)Connection reset by peer: [client ip_address:port] ap_get_brigade failed during prefetch, referer: https://webwork.technion.ac.il/webwork2/html2xml
In reply to Nathan Wallach

Re: Browser Chrome 80 upgrade carries a warning for canvas LTI users?

by Nathan Wallach -

Work to support the samesite attribute and is in https://github.com/openwebwork/webwork2/pull/1149 which is currently targeted to the develop branch.

The matter is somewhat more urgent, as Firefox is reporting that it will reject the WeBWorK cookie in a future version.

In reply to Nathan Wallach

Re: Browser Chrome 80 upgrade carries a warning for canvas LTI users?

by tim Payer -

Hi Nathan,

I wrote that note way back in January, and fortunately we have not had any issues with the Canvas to Webwork LTI connections. The update of Google chrome did not affect our connection.

But your note seems to imply that this now might become an issue again?

In any case We are MAA subscribers and can not take on any fixes. Especially since we are using version 2.13 and the MAA has yet to move to the later versions for Subscribers...


Tim

In reply to tim Payer

Re: Browser Chrome 80 upgrade carries a warning for canvas LTI users?

by Nathan Wallach -
I am still convinced that the issue, once the real changes in Firefox and Chrome are made will likely (at least in the soon to take effect stage) only effect sites that display WeBWorK problems embedded in pages from other sites. So long as the students directly use the relevant WW site and its URL is what is shown by the browser - the cookie policy changes should (hopefully) not break anything. However, since for some uses it is likely to make problems, I tried to create a suitable patch for the development branch of WW. Once it is tested, it can be backported to older branches, if that is necessary. There are some other significant fixes in the development branch and planned for inclusion there, several of which are "security" improvements - so I hope that once WW 2.16 is ready there will be very good reasons for sites (including the MAA) to upgrade.
In reply to Nathan Wallach

Re: Browser Chrome 80 upgrade carries a warning for canvas LTI users?

by tim Payer -
Thanks for the follow up Nathan.

Hopefully WW 2.16 comes to the MAA subscribers soon!

Tim