-
Notifications
You must be signed in to change notification settings - Fork 990
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookies are blocked in iframe even after disabling ITP #1228
Comments
In mobile and desktop Safari, disabling the "Prevent Cross-Site Tracking" option causes the site to work as expected. In chrome also no issue seems to be there. The only issue is on the mobile app with |
Iframes don't have access to the storage api by default, which is required to handle ITP. Iframes that is a direct child of the top level frame have an attribute to enable the storage access api. Direct child iframes can have
From what I read, iframes in which is nested do not have storage access, even with the sandbox attribute. Note that if either the top frame or the iframe document navigates, storage access is revoked. Any storage grants only persists for the lifetime of the document. Disclaimer: don't have the means to confirm or test any of this. Just summarizing webkits blog Also there are some cookie bugs that is unrelated to ITP in WKWebView, which was reported to Apple via https://bugs.webkit.org/show_bug.cgi?id=213510 which I think effects ios <= 13. Your reproduction on ios 12.4, while show similar symptoms is likely related to cookie syncing issues on wkwebview. I believe these are fixed in later ios versions (but I don't work cookies so not sure on the exact details here on this.) |
breautek I've added The iframe on the sample app I provided is a direct child of the webpage. Yeah, I think you are right. It could be unrelated to ITP and be related to other cookie bugs on the link you provided. After doing some more tests I will reply back. Thank you! |
Hello. Any success with this issue? I'm also having problems with iframe cookies not being saved & used. |
@mkayander For me by default, the Cookie policy is set to In CDVWebViewEngine.m, can you try adding the below line and see if that helps |
@abhinavms Thanks for the info! I've tried adding that line, but with no success yet. Is there a specific place in the file that this line should be at? I've currently added it inside the "initWithFrame". |
In my codebase, it was added under "pluginInitialize". But I think it should have worked under initWithFrame also. Maybe you can debug and check the "cookieAcceptPolicy" value in your case. If it is already NSHTTPCookieAcceptPolicyAlways, then you might be facing a different issue. Also just to confirm you have already added "NSCrossWebsiteTrackingUsageDescription" and enabled tracking in the app settings? |
Yeah, i've logged the Yet, i see in dev tools that iframe's response contains multiple I'm also using a |
As it turned out, those iframe cookies are only being saved if there's already a cookie present for this specific domain. I've used a So it seems like a working solution for the test environment, but not a good option for the prod, since it's not great to force users to enable tracking in settings. It looks like the only option for the production env is to make a separate build for each domain and enforce/proxy all iframes to it. |
@mkayander is it still working now for you with ios 18 beta ? i have a hybrid app which makes calls to a webserver and loads the pages returned as a response inside the iframe of my app. Cookies are maintained outside the iframe in my app , but inside the iframe, they do not exist anymore; calls from inside the iframe to the server (same-origin) are failing since no cookies in the request => no session ID. |
We ended up on assigning a relevant domain for the environment. So basically stopped trying to hack this thing anymore. |
Bug Report
Problem
Even after allowing cross-site tracking in the app setting to disable ITP, the 3rd party cookies are still not being set in iframe. The Storage Access API denies the request to access storage. This causes login to fail in the iframe.
What is expected to happen?
Cookies should be stored and sent in every request
What does actually happen?
Cookies are not being stored
Information
I have created a sample application to illustrate the problem. Link - https://github.com/abhinavms/cordova-3rdparty-cookie
The webview loads URL abhinavms.github.io/cookieTest. It has an iframe that loads cookie-set-test.herokuapp (Source code). cookie-set-test.herokuapp sends a request to set a cookie and verify if the cookie was set. It also displays if the Storage Access API has granted access.
With the latest Xcode version, it is observed that the cookie is never being set in the iframe unless already a first-party cookie was available. This issue was also reproducible in iOS 12.4, which doesn't have ITP
Observations
Environment, Platform, Device
Xcode 13.3
iOS 15.3, 12.4
Checklist
The text was updated successfully, but these errors were encountered: