1

I have a flow where I click a button, which triggers a new window to open where the original url is the same as the origin domain. This flow works fine normally (site not embedded in an iframe). I see the requests as expected, the cookies persist when the site loads in the new window, everything is great.

But when I embed my site in an iframe while on a 3rd party site, when the new window is launched, the requests doesn't carry over any cookies. This experience only happens on IE (Tested Safari, Edge, Chrome, Firefox). I'm essentially just looking for an explanation to why this occurs. Is IE dropping cookies because I'm launching a new window from an iframe that has a src that doesn't match the 3rd party domain? Does IE drop cookies because it's an iframe launching a new window? I'm not able to find an answer to why IE is dropping cookies.

To be more specific. My code is calling window.open(url); That url is the same domain that iframe src is pointing to. In all browsers except IE11, in the new window that opens, I see the cookies that were written to the browser prior to the new window being open, IE11 those cookies are no where to be found.

Does IE11 have any unique functionality when calling window.open(url) within an iframe that cause cookies to be dropped from the request?

Additional info:

So I dove into the 3P IE iframe issue to see that it's actually the problem. What I saw was that when I checked the webpage privacy report, the 3rd party site that I am embedding is listed as cookies are accepted. When I click the button to open a new window, and I check the webpage privacy report of that new window, I don't see the cookies are accepted (because none are sent), but they're not listed as blocked either.

So I'm not entirely convinced this is a 3P cookie issue yet. Primarily because I am able to write cookies from the iframe, the issue only occurs when a new window is opened and the cookies no longer exist in the new window.

Update:

Dove into the privacy settings, I have set all the privacy options to the lowest possible settings (Allow all session cookies, allow 3P cookies, allow pop ups from secure sites). Still, no cookies are being passed from this dang iframe. Everything is still okay when the flow is executed when hitting the normal site, but when embedding the cookies still fail to get passed.

Now what's also interesting, when I go through the flow normally (meaning not in an iframe, cookies are set normally), then try to go through the flow through the iframe, the flow works. This definitely because the cookies are already set when streaming the first time. So now my question is why does the pop up window honor those cookies that were set, but not the iframe cookies?

I just want to know how IE11 works my goodness.

Update 2 If I disabled "enabled protected mode" in the settings everything works fine. Just need to figure out what in protected mode is causing the issue.

Joseph hooper
  • 967
  • 4
  • 16
  • 35
  • @JaromandaX I'm asking about the how internet explorer handles the relationship between iframes and cookies. Like I said, the code I have works on Chrome, Firefox, Safari, and Edge. That's why I'm asking about IE functionality specifically. – Joseph hooper Sep 11 '19 at 05:16
  • @JaromandaX my code is calling window.open(url); That url is the same domain that iframe src is pointing to. In all browsers except IE11, in the new window that opens, I see the cookies that were written to the browser prior to the new window being open, IE11 those cookies are no where to be found. I will add this to the question. – Joseph hooper Sep 11 '19 at 05:21
  • Internet Explorer gives a lower level of trust to IFRAME pages. If the page inside the IFRAME doesn't have a Privacy Policy, its cookies might be blocked, to prevent it, you could create a p3p policy (the p3p Policy must be sent by the pages inside the frames, not by the top-level site. ). More detail information, please check [this thread](https://stackoverflow.com/questions/389456/cookie-blocked-not-saved-in-iframe-in-internet-explorer) and [this blog](https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/). – Zhi Lv Sep 11 '19 at 08:53
  • @ZhiLv-MSFT Thank you, this was helpful. I looked into this issue but I'm not convinced this is the problem, The privacy report on either window does not show any cookies are being blocked. – Joseph hooper Sep 11 '19 at 19:26
  • 1
    `Update 2 If I disabled "enabled protected mode" in the settings everything works fine. Just need to figure out what in protected mode is causing the issue ` perhaps the issue is related to the mixed zones, more detail information, please check the [Beware Cookie Sharing in Cross-Zone Scenarios](https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/). – Zhi Lv Sep 27 '19 at 09:20
  • @ZhiLv-MSFT Almost forgot to update the ticket.This was the issue. Thanks for shedding light on this! I believe it was your comment on another thread that helped me figure this out. Thanks! – Joseph hooper Oct 02 '19 at 00:02

0 Answers0