The stable release of the Google Chrome web browser (build 80, scheduled for release on February 4, 2020) features a change in how cookies are handled. This will include two changes:
- Cookies without a '''SameSite''' attribute will be treated as SameSite=Lax.
- Cookies with '''SameSite=None''' must also specify '''Secure''', meaning they require a secure context.
The changes are explained in https://web.dev/samesite-cookies-explained and https://blog.chromium.org/2019/10/developers-get-ready-for-new.html.
Moodle and Microsoft Teams integration will be affected by this change, because the integration requires embedding Moodle pages in Teams. There is an open item in Moodle Tracker about this change in broader context at https://tracker.moodle.org/browse/MDL-67175, but the code change proposed in the tracker item didn't get integrated in time for the last minor Moodle upgrade before Chrome 80 release date. As a result, all sites using Moodle and Microsoft Teams integration feature are strongly suggested to apply the patches proposed in the tracker item so that users with Chrome 80 can keep using Moodle tabs in Teams after upgrade.
- Patches are provided for all Moodle versions that are supported for core feature and security issues, i.e. 3.5, 3.6, 3.7 and 3.8.
- Patches are only required before this is integrated into the next Moodle minor release of the Moodle versions, which is scheduled at March 9th, 2020.
- After the next Moodle minor release, the patch should be removed as it would be integration into core Moodle code.