11

I am trying to find a way to set cookies in an iframe in Safari. Safari has a policy of not allowing iframes to set cookies unless the user clicks on something in the iframe.

I have read through questions/answers on Stackoverflow and other articles. Here are some links:

They all mention variations of a technique to accomplish this. The basic idea is to create a form element and make it submit a POST request either through JavaScript calls or through the user clicking a button. Once a POST request is sent, Safari considers the user to have interacted with the site and thereafter allows cookies to be set.

I made a few attempts to implement this technique. I failed.

I found an article (http://online.wsj.com/article/SB10001424052970204880404577225380456599176.html) in the Wall Street Journal that talks about how Google used this technique to place their +1 buttons into their DoubleClick ads. The article also cites Anant Garg's blog post (link above) about how to work around the limitation.

Here's a quote from the article:

To get around Safari's default blocking, Google exploited a loophole in the browser's privacy settings. While Safari does block most tracking, it makes an exception for websites with which a person interacts in some way—for instance, by filling out a form. So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.

Another quote:

An Apple official said: "We are working to put a stop" to the circumvention of Safari privacy settings.

I am working with Safari 5.1.5 which was released on March 26, 2012. The WSJ article was published on February 17, 2012. Is it possible that Apple has changed Safari so that this workaround no longer works? Can anyone confirm that this technique works on Safari 5.1.5?

Community
  • 1
  • 1
hekevintran
  • 22,822
  • 32
  • 111
  • 180
  • possible duplicate of [Safari 3rd party cookie iframe trick no longer working?](http://stackoverflow.com/questions/9930671/safari-3rd-party-cookie-iframe-trick-no-longer-working) – philfreo May 30 '13 at 18:06

1 Answers1

9

See this thread: Safari 3rd party cookie iframe trick no longer working?

Safari has enforced its cookie policy with 5.1.4.

Community
  • 1
  • 1
vwoelm
  • 306
  • 1
  • 7
  • Does that mean, that it is not possible by any means, to set a cookie on a cross-domain page in an iframe on Safari? – Eydun May 09 '12 at 11:20
  • 1
    True. The user has to interact *and* the cookie can only be set when the domain matches. My current workaround: http://www.reizbombardement.de/archives/safari-5-1-4-enforces-cookie-policy – vwoelm May 09 '12 at 12:07
  • 1
    If you control both domains, you can direct the user to domain b, set the cookie, and then direct the user back to domain a. Safari will pass along a cookie in an iframe that's already set, you just can't create new cookies. – Dave Aaron Smith Feb 24 '13 at 16:05
  • @Dave Arason Smity : I am already doing same what you said. After setting a cookie of domain b and redirection to domain A. I am loading domain B inside domain A with iframe. After some time User has blocked third party cookie in browser setting. Now domain B no longer sending cookie to server that already been set. Any work around for this problem ? – Saravanan Jan 21 '17 at 15:51
  • @DaveAaronSmith this isnt the case anymore with Safari 13.1.1, they dont get picked up anymore in the iframe. – Mike Flynn Aug 18 '20 at 19:55