Setting cookie in iframe - different Domain

D

5

76

We have our site integrated as an iframe into another site that runs on a different domain. It seems that we cannot set cookies. Has anybody encountered this issue before? Any ideas?

Druce answered 22/1, 2010 at 12:48 Comment(1)

old question, but this here is a suggestion that works if you can modify both websites: #18664895 – Eustasius 27/9, 2017 at 4:32

K

38

Since your content is being loaded into an iframe from a remote domain, it is classed as a third-party cookie.

The vast majority of third-party cookies are provided by advertisers (these are usually marked as tracking cookies by anti-malware software) and many people consider them to be an invasion of privacy. Consequently, most browsers offer a facility to block third-party cookies, which is probably the cause of the issue you are encountering.

Kilowatt answered 22/1, 2010 at 12:51 Comment(1)

If you have control over your user's browser settings, you can get around the cookie issue by having them add the third-party site as a 'trusted site' (for Windows, at least). The default security settings for trusted sites should allow the third-party cookies. – Sorayasorb 16/5, 2013 at 4:54

E

24

From new update of Chromium in February 4, 2020 (Chrome 80). Cookies default to SameSite=Lax. According to this link.

To fix this, you just need to mark your cookies are SameSite=None and Secure.

To understand what is Samesite cookies, please see this document

Eolith answered 30/3, 2020 at 5:17 Comment(1)

Another article explaining this medium.com/trabe/cookies-and-iframes-f7cca58b3b9e – Photodrama 11/11, 2020 at 15:58

T

14

After reading through Facebook's docs on iframe canvas pages, I figured out how to set cookies in iframes with different domains. I created a proof of concept sinatra application here: https://github.com/agibralter/iframe-widget-test

There is more discussion on how Facebook does it here: How does Facebook set cross-domain cookies for iFrames on canvas pages?

Tsushima answered 1/2, 2011 at 21:59 Comment(0)

W

9

IE requires you to set a P3P policy before it will allow third-party frames to set cookies, under the default privacy settings.

Supposedly P3P allows the user to limit what information goes to what parties who promise to handle it in certain ways. In practice it's pretty much worthless as users can't really set any meaningful limitations on how they want information handled; in the end it's just a fairly uniform setting acting as a hoop that all third parties have to jump through, saying “I'll be nice with your personal information” even if they have no intention of doing so.

Westhead answered 22/1, 2010 at 12:51 Comment(2)

In order to work in all browsers, you need P3P + the strategy I outlined in my answer. – Tsushima 3/6, 2011 at 4:3

Note that P3P is no longer in use in 2023 (and in fact for many years now) so this answer is now obsolete. – Artificiality 8/2, 2023 at 4:21

C

3

Despite adding SameSite=None and Secure in the cookie, you might not see the cookie being sent in the request. This might be because of the browser settings. e.g, on Brave, you have to explicity disable it.

As more and more people are switching to Brave or block third party cookies using browser extensions, you should not rely on this mechanism.

Cytochrome answered 4/12, 2022 at 7:42 Comment(0)

Recommended topics

Hot tags