We have our site integrated as an iframe into another site that runs on a different domain. It seems that we cannot set cookies. Has anybody encountered this issue before? Any ideas?
Asked
Active
Viewed 1.4e+01k times
72
-
old question, but this here is a suggestion that works if you can modify both websites: https://stackoverflow.com/questions/18664395/is-there-something-a-site-can-do-to-incorporate-third-party-cookies – user10607 Sep 27 '17 at 04:32
5 Answers
38
Since your content is being loaded into an iframe from a remote domain, it is classed as a third-party cookie.
The vast majority of third-party cookies are provided by advertisers (these are usually marked as tracking cookies by anti-malware software) and many people consider them to be an invasion of privacy. Consequently, most browsers offer a facility to block third-party cookies, which is probably the cause of the issue you are encountering.
Quentin
- 914,110
- 126
- 1,211
- 1,335
-
1If you have control over your user's browser settings, you can get around the cookie issue by having them add the third-party site as a 'trusted site' (for Windows, at least). The default security settings for trusted sites should allow the third-party cookies. – Loophole May 16 '13 at 04:54
23
From new update of Chromium in February 4, 2020 (Chrome 80). Cookies default to SameSite=Lax. According to this link.
To fix this, you just need to mark your cookies are SameSite=None and Secure.
To understand what is Samesite cookies, please see this document
Hoang Trung
- 1,979
- 1
- 21
- 33
-
Another article explaining this https://medium.com/trabe/cookies-and-iframes-f7cca58b3b9e – Nick Graham Nov 11 '20 at 15:58
14
After reading through Facebook's docs on iframe canvas pages, I figured out how to set cookies in iframes with different domains. I created a proof of concept sinatra application here: https://github.com/agibralter/iframe-widget-test
There is more discussion on how Facebook does it here: How does Facebook set cross-domain cookies for iFrames on canvas pages?
Community
- 1
- 1
Aaron Gibralter
- 4,773
- 3
- 35
- 50
9
IE requires you to set a P3P policy before it will allow third-party frames to set cookies, under the default privacy settings.
Supposedly P3P allows the user to limit what information goes to what parties who promise to handle it in certain ways. In practice it's pretty much worthless as users can't really set any meaningful limitations on how they want information handled; in the end it's just a fairly uniform setting acting as a hoop that all third parties have to jump through, saying “I'll be nice with your personal information” even if they have no intention of doing so.
bobince
- 528,062
- 107
- 651
- 834
-
1In order to work in all browsers, you need P3P + the strategy I outlined in my answer. – Aaron Gibralter Jun 03 '11 at 04:03
-
Note that P3P is no longer in use in 2023 (and in fact for many years now) so this answer is now obsolete. – Derrick Miller Feb 08 '23 at 04:21
1
Despite adding SameSite=None and Secure in the cookie, you might not see the cookie being sent in the request. This might be because of the browser settings. e.g, on Brave, you have to explicity disable it.
As more and more people are switching to Brave or block third party cookies using browser extensions, you should not rely on this mechanism.
Krishna
- 6,107
- 2
- 40
- 43