Is there a workaround for Safari iOS "Prevent Cross Site Tracking" option, when issuing cookies from API on different domain?

Asked 10/7, 2019 at 13:48 Answered 1/7, 2022 at 18:13

angular asp.net-core safari mobile-safari

Is there any workarounds that allows me to keep the "Prevent Cross Site Trackng" option enabled (as it is by default, so every user will have it on), and issue CORS cookies from my back-end api that is on a different domain than my angular app?

My application flow is as follow: 1. User Logs in 2. The server authenticates, issues a JWT and stores the JWT inside of an HttpOnly cookie 3. All angular requests have the {withCredentials: true}

This works perfectly fine on....windows desktop browsers. However when I try to login on Safari iOS, and mac Safari the cookie is not saved nor is it sent with subsequent requests.

I found that disabling "Prevent Cross Site Tracking" option works, but I cannot expect all of my users to disabled this option to use the my app.

Are there any workarounds for this right now?

Graniela answered 10/7, 2019 at 13:48 Comment(2)

Have you tried doing this? – Stridor 19/8, 2019 at 7:2

If I were to do this again, I would probably ensure I have a very solid Content Security Policy in place, and I would just store the JWT in local storage, and then attach it to every request from the client side app. – Graniela 1/7, 2020 at 21:20

I'd suggest puting both your website and the api on the same domain, e.g. https://web.mydomain.com and https://api.mydomain.com. This shouldn't be too difficult to implement - I haven't found any simple technical solutions online yet that will force Safari on iOS to allow this without changing the settings.

Streamy answered 26/11, 2019 at 2:52 Comment(3)

Doesn't work, safari treats that as cross domain apparently – Glyco 21/11, 2020 at 0:14

I have found that this does work for me. (implemented with a CNAME alias for the API domain) – Dominion 1/2, 2021 at 17:11

This works for me though I had to refresh the page after the cookies set in order to see the cookies in the cookies panel. But they were immediately visible in the console when I ran document.cookies. – Sublimation 15/4, 2021 at 16:25

I had the same issue and reloading the page (CTRL+R) indeed updated the state of Safari's inspect section and I could then see the cookies under "Storage" -> "Cookies" section. All credits to Dashiell (I just don't have enough reputation to add comment here :D)

Lusterware answered 1/7, 2022 at 18:13 Comment(0)

Recommended topics

Hot tags