Menu
I have an iframe on my page. As Safari blocks 3rd party cookies, I am trying to use the Storage Access API as suggested here under 'Developer Guidance': https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/. I have copied the following code from the documentation:
<script type="text/javascript">
window.addEventListener('load', () => {
document.getElementById('test-button').addEventListener('click', () => {
document.hasStorageAccess().then(hasAccess => {
console.log('hasAccess: ' + hasAccess);
if (!hasAccess) {
return document.requestStorageAccess();
}
}).then(_ => {
console.log('Now we have first-party storage access!');
document.cookie = "foo=bar";
console.log(`document.cookie: ${document.cookie}`);
}).catch(_ => {
console.log('error');
});
});
});
</script>
<button id="test-button">Test</button>
Browser console output:
[Log] hasAccess: true
[Log] Now we have first-party storage access!
[Log] document.cookie:
As you can see, the grant seems to be successful but still cannot set the cookie. Does anyone have an idea what's wrong?
Safari Version 13.0.1
EDIT: Console output on Safari 13.1:
[Log] hasAccess: false
[Log] error
Note: The enclosing page is a simple iframe tag with a src pointing to this page.
582
Send the message using postMessage method on the iframe element which you get by assigning a unique ID to the element itself. Back in our app that's now rendering inside an iframe, listen for the message event. Message event here tells us that the cookie has been successfully set in the parent site.
The Storage Access API provides a way for embedded, cross-origin content to gain unrestricted access to storage that it would normally only have access to in a first-party context (we refer to this as an origin's first-party storage).
The SAF makes it simple for users to browse and open documents, images, and other files across all of their preferred document storage providers. A standard, easy-to-use UI lets users browse files and access recents in a consistent way across apps and providers.
Make sure a cookie has already been set for the domain in a first-party context.
There's a couple of things to look out for with that code sample. Please note the following was tested on Safari 13.1.
document.requestStorageAccess has to be called as a result of a user action. Despite as documented on the MDN docs, document.hasStorageAccess does not seem to propagate the user action.A cookie must have already been set on the domain in a first party context. This cookie can either be set by the server as a response header, or by JS using document.cookie. With a bit of further testing, it seems this cookie MUST NOT be set with the domain flag in order for a subsequent cookie to be set in the third party context. This means that in effect, the existing cookie must also be set on the same exact sub domain.
93
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
