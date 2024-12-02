Third-Party Cookies and EdTech

In a recent article, Jan Ozer provided an over­view of the Cookie Apocalypse and raised the question of why it has received so little attention. The article fo­cused on FAST and other ad-­supported business models, for which the end of third­-party cookies poses a grave threat. In edtech, the situ­ation may be even more dire, since course web­sites are typically designed with third­-party in­tegrations that deliver crucial elements of the curriculum and traditionally rely on cookies to allow seamless cross­domain integration.

These cross-­domain, third-­party cookies are essential for the operation of single sign-­on (SSO) and Learning Tools Interoperability (LTI) authentication methods. Many course webpages contain a video player in one I-­frame and an interactive quiz in another to enable students to learn the material and formatively test their learning as they proceed in the video. The stu­ dent would be logged in to both of those embed­ded websites for legitimate educational pur­ poses: The two embedded websites should be sending personalized learning analytic data to a school­managed learning record ware­house using Caliper or xAPI standards so the student and teacher both have evidence of the work that was performed for the course, and the institution can aggregate the data to infer optimal study practices toward which incom­ing students can be directed. That data collec­tion scheme is exactly what a cross­site track­ ing cookie does, except here, the purpose is solely to benefit the student and the school.

Safari was the first major browser to dis­able third­-party cookies by default, at substan­tial cost to its popularity on school campuses. Chrome was scheduled to follow suit in October 2024, but changed course late in the summer, due partially to the lack of urgency on the part of many vendors. Savvy and forward­-thinking edtech companies have pursued at least two strategies to survive the eventual Cookie Apocalypse utilizing new web browser stan­dards. The first uses a new type of limited­ scope, third­-party cookie, and the other doesn’t use cookies at all.

The first post­third­party cookie privacy strategy relies on Cookies Having Independent Partitioned State, or CHIPS. These cross­-domain replacements for standard cookies are accessible only when embedded under a specific domain.

Our school’s learning management system (LMS) sets a session cookie so a student can stay logged in to the many pages in their course website. One of those pages embeds a video playlist widget, and that widget sets a session cookie for the VMS domain partitioned under the LMS domain so the student can load dif­ ferent videos without re­authenticating. If the student goes to any other website using re­ sources from the VMS—even the VMS web­site—they need to re­authenticate, since the session cookie for the VMS partitioned under the LMS is not accessible anywhere other than with that specific embedding.

Although partitioned cookies are support­ed in the WebKit engine used by Chrome and Edge, Safari dropped them from its variant of WebKit. However, the reasoning for removing them was because Apple had unsuccessfully explored heuristically partitioning third­party cookies in the browser and probably did not ex­ pect them to catch on since partitioned cookies don’t allow cross­site tracking. They could be restored to Safari if this strategy achieves uni­ versal support from the other major browsers. The other strategy that has traction despite its unfortunate name is an addition to the LTI specification called LTI OIDC Login with LTI Client Side postMessages.

Strictly speaking, this strategy piggybacks on two different but very useful LTI specifications. One is LTI Client Side postMessages, which allows a third­party activity to, among other things, resize its I­frame height to remove ex­tra scroll bars in the middle of a page. The oth­er is LTI postMessage Storage, which allows the embedded third­party activity to store and re­ call data in the localStorage property of the top­level window object. This strategy makes cookies entirely unnecessary, but it has conse­ quences that may be undesirable. For example, the VMS session state would not necessarily be shared across browser tabs.

Please enable JavaScript to view the comments powered by Disqus.

Related Articles