4

I have a parent webpage with a child iframe:

  • parent at https://first-site.com
  • child at <iframe src="https://second-site.com"> (inside of parent)
  • cookie is set by the second-site.com server upon page load using this HTTP header:
    • Set-Cookie: iqsession=869194b8e575d0d333f9395557f564f5eca31c15761c; expires=Wed, 08-Feb-2023 03:51:14 GMT; Max-Age=600; path=/; secure; httponly; samesite=none
  • When I load the page on first-site.com (with second-site.com in an iframe), Firefox fails to store the cookie for second-site.com. It's not accessible under the cookies tab, nor is it available to second-site.com on subsequent page loads. There are no warnings or errors in the console.
  • This does work in Chrome.
  • Note that I am not attempting to access cookies across domains. The cookie is only set by second-site.com on the server side and only read by second-site.com on the server side. The outer parent doesn't need to know anything about the cookie.

Any ideas why this isn't working in Firefox? This issue looks related but isn't super clear.

Derrick Miller
  • 1,860
  • 3
  • 21
  • 37
  • Have you found a solution by now? I'm experiencing a similar issue. When firefox has stored cookies for second-site.com, these cookies won't be sent when second-site.com is embedded via iframe – Daniel Mar 20 '23 at 19:12
  • I solved it by breaking out of the iframe, so that my second-site.com was the `_top` frame, checking for the cookie, and then reloading the original page. I was able to break out of the iframe because I am using Shopify App Bridge, which opens up sort of a backchannel control interface between the embedded frame and the containing site. I'm using the cookies in an auth flow. – Derrick Miller Mar 20 '23 at 21:41
  • P.S. I came to the conclusion that it's impossible to make the cookies work in Firefox while they're inside an iframe. That's just my conclusion. YMMV. – Derrick Miller Mar 20 '23 at 21:42

1 Answers1

0

I experienced the exact same problem that you describe.

However, after struggling with it for a while, I discovered that in my case it was only happening because I was using a self-signed certificate that Firefox didn't recognize as valid. When testing the exact same code in an environment with a proper certificate, everything worked as expected.

Tao Gómez Gil
  • 2,228
  • 20
  • 36