On my job, we serve the oldest version of our product through an iFrame on our partners site (can't give details due to NDA). Recently we found out our app doesn't load on Safari desktop since "Prevent cross-site tracking" in on by default, if you disable that option it works correctly. We know it's because it's treating the session cookie as a third party cookie (remember, iframe through other site) and blocking it.
However, and what I find funny/interesting, is that if I block third party cookies on any other browser (I've tried Chrome, Firefox, Opera, Edge, Samsung and Brave) the site works correctly. It's only Safari where it's breaking, what's even weirder is that on Safari on iOS it doesn't break either, it's just desktop Safari and Safari Technology Preview. At first I thought that maybe it works on Firefox because it isolates cookies while Safari outright blocks them, but after seeing all the other browsers my best guess is that maybe Safari treats subdomains as third-party while all the other browsers don't.
Unfortunately I can't find any documentation that explains how any of this browsers actually handles blocking third-party cookies / preventing cross-site tracking, only guides on how to toggle it or why it's important. I'll appreciate any guidance on where I could investigate this or confirm my hipothesis if possible since right now it's more of a burning curiosity thing and less about completing my job.
Thanks a lot have a nice day.
