Domain A is loading domain B in an iFrame. In order for domain B to set a cookie in Safari (with "allow from current website only" configuration) we had to do some manipulations (user actions). However now the cookie isn't being sent (to domain B).
domain A opens domain b in an iframe
user clicks on a button, which opens a new tab with domain B
the cookie is being set. Safari is now set with a cookie from domain B.
in the iframe we do window.location.href="url to domain B" - the cookie isn't being sent.
If I browse to the same URL in a different tab I do see the cookie being sent.
Has anyone encounter this as well? Any known solutions?
In mobile advertising space, a few years back, when apple disabled the 3rd party cookie on mobile safari, google (DFP) came out with the workaround to bypass the restriction by creating iframe on the page and set the cookies there. It worked for a while till apple found out and blocked it. As far as I know, there is no workaround to enable 3rd party cookies on mobile safari.
Related
Short:
I need help in SSO in Safari, I'm using iFrame and postMessage logic which is working fine in Chrome and Firefox (PC, Mac, Android and iOS) but the catch is in Safari. I tried Storage Access APIs and placed those in iFrame's onLoading event to check access. But the localStorage which I was used to store JWT is not persistent in the iFrame. I'm using Angular 11.
Scenario:
I'm developing few applications which uses same auth site for sso, which was working as expected as I said in short description. But when it comes to Intelligent Tracking Prevention enabled browsers as of now Safari, It blocks the iFrame by considering it as 3rd Party Trackers which is very insane since the iFrame's origin (Domain) is same with Sub-domain used in service sites.
I tried to check the access by using storage access API i.e hasStorageAccess() in window onLoad method in the iFrame's script. If has no access, I called requestStorageAccess(). I'm here not using user gesture and using button click from service site because I'm using angular for frontend framework but in order to request using button in iFrame.(Since, The policy specifies to get access works only after user interaction which is another headache for devs)
I need help to overcome this issue and fix the SSO with ITP. Any guidance is useful and I'll keep updated.
Google is working fine with their sso and services such as YouTube and Mail doesn't need login on every visit. Any idea on how they achieved.
The reason could be that Safari has the option "Prevent cross-site tracking" enabled by default and that can interfere with the SSO login and display of an embedded iframe (because it blocks some cookies).
Solution
Disable (uncheck) the option for "Prevent cross-site tracking" in the Safari configuration menu.
Tip: To achieve a better user experience, using Javascript you can detect when a user is using Safari and show him an HTML message explaining that he needs to disable that option in order to continue or use another browser like Chrome or Firefox.
With the new permission request API introduced in Safari on iOS 13, I get this error when doing the permission request on a cross origin iframe:
Call to requestPermission() failed, reason: Source frame did not have the same security origin as the main page.
I could not find any corresponding Feature-Policy to add to the iframe "allow" property: neither 'accelerometer' or 'gyroscope' worked...
Is there a way to allow DeviceOrientationEvent.requestPermission() on cross domain iframe?
The only workaround that worked for me is redirecting through the iframed domain once.
So, if you have abc.com and xyz.com is an iframe under abc.com, while landing to the abc.com, there needs to be an intermediate redirect through xyz.com only for the purpose of setting a blank cookie. Then Safari will allow setting a cookie from iframe for xyz.com.
I'm not sure if there's any other better workaround. However, this worked and served my purpose.
Thanks.
I'm currently working on a web application which sits inside an iframe for security purposes (protecting user data) and is hosted on other websites. To keep session state for insecure data, we write some data to local storage for user functionality i.e., remembering the user's background colour we save "backgroundColour" as "red".
However I have run into the following two issues on iOS Safari which currently work on MacOS Safari and Chrome and internet Explorer 11.
Issue 1: local storage is not retained when I force quit iOS
The user navigates to the host website, www.host.com, which loads my iframe content from a different domain, www.example.com
The user then interacts with the iframe and saves their background colour preferences which I save to local storage.
The user then force quits Safari or navigates away and then force quits Safari.
Navigate back to the host website
Expected behaviour: The localStorage contains the backgroundColour property
Actual behaviour: The local storage is empty
Issue 2: using the iframe content on different sites doesn't utilise local storage
The user navigates to the host website, www.host.com, which loads my iframe content from a different domain, www.example.com
The user then interacts with the iframe and saves their background colour preferences which I save to local storage.
The user navigates to www.awesomesite.com which also has my iframe content from the domain in step 1, www.example.com
Expected behaviour: The local storage is retained between the different sites because the storage is against DNS of the iframe
Actual behaviour: The local storage is empty
Has anyone experienced this before? Are there any workarounds that people have found? Is this a bug in iOS Safari? Have I done something wrong?
Cheers
Issue 1 is Safari behavior and cannot be changed externally with code. Please open a feature request or bug report with Apple:
https://www.apple.com/feedback/safari.html
Issue 2: Unfortunately, the technique you are using "3rd party local storage" is a technique employed by tracking technologies. The recent privacy push has led all browsers to make more strict rules for 3rd party cookies, and other local storage. You will find that privacy settings will make your user experience inconsistent. You cannot expect your local storage to be reliable when you are a 3rd party.
SEE:
Is there any workaround to set third party cookie in Iframe for safari?
AND
https://medium.com/#bluepnume/safaris-new-tracking-rules-and-enabling-cross-domain-data-storage-85241eea7483
AND
https://groups.google.com/forum/#!topic/mozilla.dev.platform/vm81cSx4teo
I was trying to host a web page in the chrome extension popup and was hitting error X-FRAME options set to deny or SAME ORIGIN. As an alternative approach I opened up the page in new chrome browser instance and injected the script into it so that i can send the message from the page to content script and then back to my popup page once the work is done in the new window . UI experience of this approach does not look good and hence wanted to go via Iframe route. My extension has all url permissions in manifest.xml
Can someone suggest the right approach by which we can host a web page in IFRAME in chrome extension popup and get around the deny and SAME ORIGIN. Also will this be correct with respect to security .
I came across this unanswerd blog but seems to me a hack. Hence wanted to get clarity on chromium - extension forum.
Getting around X-Frame-Options DENY in a Chrome extension?
I am able to see session cookies in Firefox 3.6 by going to
Tools->Options->Privacy->Remove Individual Cookies
How do I see those same session cookies in IE (6/7/8)?
Tools->Internet Options->Browsing
history Settings->View files
only contains persistent cookies
Also how do I access them programmatically? In Firefox I use the nsICookieManager interface to read the session cookies, does IE contain an equivalent interface?
Cookies set with the HTTPOnly attribute will not be visible to Javascript (e.g. via the document.cookie accessor). In IE8, 9, and 10, hit F12 to open the Developer Tools. Click Cache > View Cookie Information to see persistent and session cookies that apply to the current domain.
This feature is not present in the IE11 version of the tools, which would mean that your choices are 1> Watch outbound Cookie headers in Fiddler or on the Network tab, or 2> Write a plugin that calls the InternetGetCookieEx API with the appropriate flag to include HTTPOnly cookies.
Type into adress-bar:
javascript:alert(document.cookie)
to see the cookies that are currently readable by javascript.
Regarding to the read/write of session-cookies:
Why do you need to do it using javascript? usually session-cookies are needed to have an relation to serverside stored data, so you need to manage the cookies from serverside, no matter what browser there may be.
F12-> Network Tab -> Enable Network Capture Traffic Capturing - > Details Tab -> Request Header Tab.