22

From the Apple developer faq

Safari ships with a conservative cookie policy which limits cookie writes to only the pages chosen ("navigated to") by the user.

By default Safari only allows cookies from sites you navigate to directly. (i.e. if you click on links with the url of that domainname).

This means that if you load a page from your own site with an iFrame with a page from another site, that the other site is not able to set cookies. (for instance, a ticketshop). As soon as you have visited the other domain directly, the other site is able to access and change its own cookies.

Without having access to code on the other site, how can i make the user-experience as inobtrusive as possible?

Is there a (javascript?) way to check if the other site's cookies are already set, and accordingly, show a direct link to the other site first, if needed?

Update:

The HTML5 feature 'window.postmessage' seems to be a nice solution.
There are some jQuery libraries that might help, and compatible with most recent browsers.
In essence, the iFrame document sends messages, with Json, thru the window element.

The very nice Postmessage-plugin, by daepark, which i got working.
and another jQuery postMessage, by Ben Alman i found, but haven't tested.

GDmac
  • 842
  • 1
  • 9
  • 28
  • I also see this problem, but I believe the issue is limited to unsecured cookies. Can someone confirm? – Adam Nov 17 '08 at 22:30

5 Answers5

10

localStorage, supported by safari and all modern browsers, permits read/write operations even on pages loaded into iframes. if you don't mind dropping support for ie6 and ie7, try using localStorage instead of cookies in your framed site. i know your question specifically says you don't have access to code on the framed site, but for those who do, localStorage definitely solves the "no cookies in a safari iframe" problem.

colin moock
  • 828
  • 7
  • 14
8

This is an issue known as Same Origin Policy. Essentially it is a security measure against creating security loopholes.

When you have an iframe that points to a page on your own domain, JavaScript can access both the page you're on and the page within the Iframe. This is an acceptable parent to child and child to parent relationship.

 (parent doc)        (iframe doc)
    HTML --> IFRAME <-- HTML 
      ^--------|---------^

However, once you have a file pointing to an external page, SOP comes into play and haults any information passing between the parent page and the iframe page.

 (parent doc)        (iframe doc)
    HTML --> IFRAME <-- HTML 
               X

Check out this post about iframe communication, it makes a lot of sense! Stackoverflow post

These links really help too!

1) Secure Cross-Domain Communication in the Browser
2) wiki SOP or Same Origin Policy

Good luck!

Community
  • 1
  • 1
M.W. Felker
  • 4,335
  • 1
  • 17
  • 18
  • nvm your answer is a bit too general but has a point. SOP will prevent you from checking whether the cookies exist as well. Or it should, anyway. – wds Jun 24 '09 at 08:08
  • My current workaround is to first load a local page inside the iframe, with a link to the external page. That way, the visitor has to "navigate" to that page and after that cookies are allowed for that site. What i am looking for is a way to know if the external page already has cookie-privileges, so that i might skip first loading the local page and directly show the external page. – GDmac Aug 12 '09 at 10:16
3

This page suggests that you place some javascript in your pages which detects the absence of an always-there cookie. When it finds that the cookie has not been set, it posts the required session data to a page which sets the cookie, and redirects you back to the originating page.

Apparently the POST is enough to satisfy Safari's 'have I navigated to this domain' test, so from then on it accepts cookies from that domain.

Of course, it's not the nicest of code, but may well solve your problem.

Cyphus
  • 849
  • 5
  • 14
2

One solution (a bit messy) might be to have the parent page check for the presence of the cookie and if the cookie is not present run an AJAX call to a script on the iframe page's domain which sets the cookie.

tw39124
  • 8,317
  • 2
  • 17
  • 14
  • 1
    Has anyone tried this (with an AJAX POST rather than a full page refresh POST)? Is it enough? – Matt Zukowski Mar 21 '12 at 14:33
  • I couldn't get an AJAX POST to work, but actually you can do it with a simple GET / redirect back to where you were. See this answer and my comment on it: http://stackoverflow.com/a/15889674/361609 – colllin Oct 18 '13 at 07:02
2

This is a common issue with facebook apps displayed in Safari. The way many (including myself) have dealt with this is to have the iframed page POST to itself. When a page has posted form data, it is then allowed to set cookies. In the end, it works with a 1 page refresh, which could even be your user login POST.

Broote
  • 629
  • 4
  • 6