Menu
Latest safari update block 3rd-party cookies in iframe. ( https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/ )
They offer several solutions to resolve it. I have tried to implement Storage Access API solution, but do like the result.
Can anyone give a hint or a sample flow without technical details on how to implement this:
Option 1: OAuth 2.0 Authorization with which the authenticating domain (in your case, the third-party
that expects cookies) forwards an authorization token to your website which you consume and use to
establish a first-party login session with a server-set Secure and HttpOnly cookie.
firstparty.com has 3rdparty.com in iframe. According to option 1 3rdparty.com authorize via OAuth, receive token. But what does it mean to "forward token to your website to establish login session"? Should 3rdparty.com run login routine as first-party in separate window?
272
You can't share cookies across domains. You may share across subdomains. So, if your domain wrote the cookie stored on the client - whether in an iframe from other site or stored by visiting your main site, your domain should be able to access it. Otherwise - no.
It works in all browsers except for Chrome.Set secure:false or secure:true for the cookie. Set sandbox="allow-same-origin allow-scripts" for the iframe, or remove the sandbox attribute.
sandbox attribute for iframes is Fully Supported on Safari 7.1, which means that any user who'd be accessing your page through Safari 7.1 can see it perfectly.
Click Safari > Preferences and click the “Privacy” tab. Make a note about what is currently selected. Under “Cookies and website data”, click “Always Allow”.
Safari by default discards cookies set in an iframe unless the host that's serving the iframe has set a cookie before, outside the iframe. Safari is the only browser that does this.
Safari iframe cookie workaround Safari by default discards cookies set in an iframe unless the host that's serving the iframe has set a cookie before, outside the iframe. Safari is the only browser that does this. The 10k foot view
So probably what would help for you is to first set this cookie in first party context (for example a pop-up, or just the top document), then in third party context (iframe) you will be able to change it. Safari by default discards cookies set in an iframe unless the host that's serving the iframe has set a cookie before, outside the iframe.
By "clean" we mean that Safari has never had a cookie (successfully) set by the destination domain before. The easiest way to do this is to fire up a Safari-powered instance on BrowserStack or the like. When you load the page, you'll get an iframe. Click the link inside the iframe and you'll be greeted with a "Cookie not set!" message.
what they are referring to is still having the cookie be a first party (on your website). for example:
user follows this flow:
This site seems to go thought the flows quite well: https://medium.com/@darutk/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85
156
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
