How do I set cookies from outside domains inside iframes in Safari?

Question

From the Apple developer faq

Safari ships with a conservative cookie policy which limits cookie writes to only the pages chosen ("navigated to") by the user.

By default Safari only allows cookies from sites you navigate to directly. (i.e. if you click on links with the url of that domainname).

This means that if you load a page from your own site with an iFrame with a page from another site, that the other site is not able to set cookies. (for instance, a ticketshop). As soon as you have visited the other domain directly, the other site is able to access and change its own cookies.

Without having access to code on the other site, how can i make the user-experience as inobtrusive as possible?

Is there a (javascript?) way to check if the other site's cookies are already set, and accordingly, show a direct link to the other site first, if needed?

Answer 1

This is an issue known as Same Origin Policy. Essentially it is a security measure against creating security loopholes.

When you have an iframe that points to a page on your own domain, JavaScript can access both the page you're on and the page within the Iframe. This is an acceptable parent to child and child to parent relationship.

 (parent doc)        (iframe doc)
    HTML --> IFRAME <-- HTML 
      ^--------|---------^

However, once you have a file pointing to an external page, SOP comes into play and haults any information passing between the parent page and the iframe page.

 (parent doc)        (iframe doc)
    HTML --> IFRAME <-- HTML 
               X

Check out this post about iframe communication, it makes a lot of sense! Stackoverflow post

For some lame reason, I only get one link per post (I'm a new user). Google these, they really help too!

1) Secure Cross-Domain Communication in the Browser (it should be the second one from MSDN)
2) wiki SOP or Same Origin Policy

Good luck!

Answer 2

This page suggests that you place some javascript in your pages which detects the absence of an always-there cookie. When it finds that the cookie has not been set, it posts the required session data to a page which sets the cookie, and redirects you back to the originating page.

Apparently the POST is enough to satisfy Safari's 'have I navigated to this domain' test, so from then on it accepts cookies from that domain.

Of course, it's not the nicest of code, but may well solve your problem.

Answer 3

One solution (a bit messy) might be to have the parent page check for the presence of the cookie and if the cookie is not present run an AJAX call to a script on the iframe page's domain which sets the cookie.

Answer 4

This is a common issue with facebook apps displayed in Safari. The way many (including myself) have dealt with this is to have the iframed page POST to itself. When a page has posted form data, it is then allowed to set cookies. In the end, it works with a 1 page refresh, which could even be your user login POST.