Tuesday, 4 February 2014

Safari: Setting third party iframe cookies

Safari is known to be strict about permissions in iframes, especially when the domain of the iframe page is different from the domain of the parent page. Some would even say paranoically strict.

Safari will block you from setting cookies for the third-party domain (the different domain in the iframe), unless you already have cookies set for that domain.

Here's a snippet of javascript I pulled together last week that as a way to get around the iframe cookie security. It works great if your page is nice and light and loads fast, otherwise it can feel pretty clunky with the triple loading...

window.onload=function(){
 if(navigator.userAgent.indexOf('Safari')!=-1&&navigator.userAgent.indexOf('Chrome')==-1){
  var cookies=document.cookie;
  if(top.location!=document.location){
   if(!cookies){
    href=document.location.href;
    href=(href.indexOf('?')==-1)?href+'?':href+'&';
    top.location.href =href+'reref='+encodeURIComponent(document.referrer);
   }
  } else {
   ts=new Date().getTime();document.cookie='ts='+ts;
   rerefidx=document.location.href.indexOf('reref=');
   if(rerefidx!=-1){
    href=decodeURIComponent(document.location.href.substr(rerefidx+6));
    window.location.replace(href);
   }
  }
 }
}

Here's what it basically does:
  • The javascript is placed in the page loaded inside the iframe. 
  • If the JS is run inside the iframe and the browser is Safari and there are no cookies set, then we frame-burst the page to take over the window and append the original parent page URL as a parameter. 
  • If the JS is run not inside a frame and the browser is Safari, then we set a timestamp cookie (now that we are out of the iframe) and if a reref param exists we redirect back to the original page.
  • If the JS is run inside the iframe and the browser is Safari and there ARE cookies set, then we do nothing.

And one more time in pseudo-code

if(browser is Safari){
 if(we are in an iframe){
  if(no cookies){
   set window_url = iframe_url + reref=iframe_parent_url;
  }
 } else {
  set a timestamp cookie;
  if(reref exists in url){
   redirect to original url so we have iframe again
  }
 }
}

21 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. I am testing out your code. I am assuming that the part that I have to edit is the one with the interrogation marks inside single quotes?

    Do you know if this works with IE9+? Because I have this issue with IE9.

    ReplyDelete
    Replies
    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Online Training from India . or learn thru JavaScript Online Training from India. Nowadays JavaScript has tons of job opportunities on various vertical industry. ES6 Training in Chennai

      Delete
  3. I can't get this to work.

    If I have domainA.com with iframe loading domainB.com. The javascript above should be in domainB.com, right?

    This is what I have: http://pastie.org/9280470

    ReplyDelete
  4. Thank you. This made a world of difference! :) It worked beautifully!

    ReplyDelete
  5. I am facing issue with triple loading ?Please help me out to avoid that

    ReplyDelete
  6. Thanks.. it works!!

    ReplyDelete
  7. Thank you, it was very helpful!

    ReplyDelete
  8. Since this was geared towards normal GET requests, is there a way that this could be easily modified to handle POST requests?

    I have a web app where the top frame POSTs into the iframe. So the initial call into the iframe is a POST request. Might be hard to carry those POST variables throughout the various redirects.

    ReplyDelete
  9. Hello the JavaScript must be placed into the page where the iframe is referring to ?

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. Hello and omg, it to hard to understand those complicated settings such as for me. Better to download latest https://yepdownload.com/safari safari windows 8.1 from the begining, than try to understand those codes. I like this browser, from that moment when I start use the iphone, before I applied the chrome every day, but now only safari browser. For me here is convenient the read mode and the confidential system is very high.

    ReplyDelete
  14. Main sabung ayam online di Situs Terpercaya Saja Dijamin Pasti Bayar !

    ReplyDelete
  15. This is an awesome post. Really very informative and creative contents. This concept is a good way to enhance the knowledge. I like it and help me to development very well. Thank you for this brief explanation and very nice information. Well, got a good knowledge.
    Php course in chennai

    ReplyDelete

  16. Ingin Menjadi Jutawan Dalam Bermain Game Online, Inilah saat'a Anda Bergabung Bersama s128 sabung ayam, Pendaftaran Gratis Dan Akan Di berikan Panduan Cara Memenangkan Game Online. Bolavita Juga Menyediakan Promo Bonus Setiap Deposit 10% Utk New Member, Adalagi gan yaitu Bonus CashBack 10% Setiap Minggu'a, Jangan Lupa Di Like Juga FB Bolavita guys, Cara'a Sangat Gampang gan BBM: D1A1E6DF/ Wa: 081377055002/ Line: cs_bolavita Atau Kunjungi FB Bolavita Lalu Like Dan Share ya gan. thx ya gan ^_^

    ReplyDelete
  17. Hi Thanks for the nice information its very useful to read your blog.
    Web Design Training

    ReplyDelete