17

I have an iframe where I use cookie authentication. The cookie is set normally on my domain when users log in. I use SameSite=None;Secure. The problem is that when a third party website embeds an iframe from my domain, my authentication cookie is not passed so the iframe cannot authenticate the user.

This works fine in Chrome and Firefox, but doesn't work in Safari (and it used to work up until about a month ago)

I'm aware of the Webkit bug with SameSite=None, which was supposedly fixed in Safari 13. I know that Safari is no longer allowing iframes to set third party cookies (this has been the case for years, so I don't see how it could be related to this recent change). However, I'm not trying to set a cookie - I just want to read it. Until recently, this was possible (see this SO question).

Until Safari 13, there was a workaround that allowed people to set third-party cookies by redirecting the top page to the cookie-setting domain and then going back to the original page. In this case the iframe would be able to see the cookie (because again, the iframe couldn't write but it could read cookies.

I tried setting a secondary cookie with no SameSite attribute, as these were supposed to work, but it's still not being sent.

Is Safari now completely dropping cookies regardless of whether SameSite is set or not? If so, why did they bother to fix the SameSite bug? Something doesn't add up.

Update: It seems to be related to Apple's ITP 2, which sets strict standards on third-party cookies and even discriminates between domains based on which domains they deem likely to do bad tracking: https://www.seerinteractive.com/blog/what-is-intelligent-tracking-prevention/

So from what I've been gathering, these seems to be no way to circumvent the situation.

Update 2: I think I might have found a reliable solution in Webkit's Storage Access API: https://webkit.org/blog/8124/introducing-storage-access-api/

Daniel Compton
  • 13,878
  • 4
  • 40
  • 60
tomschmidt
  • 382
  • 1
  • 2
  • 12
  • 1
    _“However, I'm not trying to set a cookie - I just want to read it.”_ - doesn’t make much of a difference, from a privacy perspective. You have set your cookie that allows you to identify me when I visited your site. Now $pornsite embeds your iframe, and via the cookie in combination with the HTTP referrer or a specific ref-code appended to the URL, you are now able to determine that I visited $pornsite … – 04FS Jan 15 '20 at 15:30
  • When your site is in an iframe, your cookies are third party cookies. There's usually a setting in the browser where you can either allow or block third party cookies. It's not good to require third party cookies to be enabled to use your widget/site/script since many people turns this off for privacy reasons. – M. Eriksson Jan 15 '20 at 15:33
  • My point is, Safari has been blocking third party cookies for years, yet until very recently I was able to read them from inside the iframe. I'm thinking there might be a bug related to the SameSite=None one that's blocking them. – tomschmidt Jan 15 '20 at 15:58
  • tom, did you manage to solve your issue with the storage access API? I have the same issue, but even when I get back that storage has been granted by the user, the returned cookie isn't getting sent back in the following request :( – Tom Teman Jan 25 '20 at 09:55
  • 1
    Yes, it solved it for me. – tomschmidt Jan 26 '20 at 11:13
  • The Storage Access API doesn't work for me. I can grant access but no cookies are stored. I can read cookies but can't store any new ones. – Matt Cosentino Apr 06 '20 at 14:49
  • @tomschmidt does the storage access API allow you to set cookies properly from a third party even with prevent cross site tracking enabled? – marc_thomas Aug 11 '20 at 21:24

0 Answers0