block third party cookies - workaround (facebook apps etc)

Question

Safari on a Mac has a Block cookies set to From third parties and advertisers by default.

It stops the SharedObject from working if the embedded swf is from a different domain.

This problem isn't new: Safari 3rd party cookie iframe trick no longer working?

Has anyone found a solution (other then passing the Session ID through GET/POST params in each request)?

NOTE: I have no access to the site, which is embedding the swf, so there is no way to alter that HTML or to put any JavaScript, etc.

Answer 1

function setCookie(){
   if ( navigator.userAgent.indexOf('Safari') != -1 &&
        navigator.userAgent.indexOf('Chrome') == -1 ){
      window.open('safari.php','','width=200,height=100' );
   }
}

// then we set the cookie in safari.php

Source: http://www.reizbombardement.de/archives/safari-5-1-4-enforces-cookie-policy

//UPDATE 23 July 2013

This crappy way of fixing this issue used to work until Safari 6.

Please see @Fabio Antunes and @ncubica comments below.

//UPDATE 23 July 2013 by Fabio Antunes

Here's my code

On the landing page we'll have a brief description about the app and a button saying something like "enter". I'm using jquery to simplify this process, creating a listener for the click event, I'll just put the javascript code, since I'm assuming you already have the rest of the html code for the landing page:

$(document).on("click", "#bt-landing", function(){
var left = (screen.width/2)-(500/2);
            var top = (screen.height/2)-(250/2);
            window.open('URL_FOR_THE_PHP_THAT_WILL_CREATE_THE_SESSION', '_blank', 'width=500,height=250,toolbar=0,location=0,menubar=0, top='+top+', left='+left);
});

This you'll open a small window, with 500 by 250 px, centered on your screen.

The code I have for the small window is this:

<?php setcookie("safari_cookie", "1");?>
    <html>
        <head>
            <meta charset="utf-8">
            <title>THE NAME OF YOUR APP OR SOMETHING THAT THE USER WE'LL READ AND ASSUME THAT THIS SMALL WINDOW IS RELIABLE</title>
        </head>
        <body>
        <script type="text/javascript">
        $(document).ready(function(){
           setTimeout(function(){window.close()},1000);
        })
        </script>
        </body>
    </html

Answer 2

Safari does still block cookies from domains which it has not visited in the top window.

To workaround this, we count($_COOKIES) in PHP and direct the browser to a page on our domain whose job it is to simply send the browser back to where it came from. It's a dirty trick which means some users will unnecessarily get moved away and then back, but then, the web is full of dirty tricks.

If you cannot set top.location.href to a page on the domain which needs to set cookies, or you cannot alter a page on said domain, then I can confidently say you'll need to use URL-based sessions.

However, an alternative option (which still requires being able to create a page on the domain) is to request that the user clicks on your SWF, you can then trigger window.open and have the URL point to the page you created. All it needs to do is load successfully, then the user (or even JS on the popup page itself) can close the popup. You may then set cookies.

---

I develop Facebook apps, which live inside iframes, which suffer this problem. Every single app has to be shipped with this fix.