Setting cross-domain cookies in Safari
Solution 1
From the Safari Developer FAQ
:
Safari ships with a conservative cookie policy which limits cookie writes to only the pages chosen ("navigated to") by the user. This default conservative policy may confuse frame based sites that attempt to write cookies and fail.
I have found no way to get around this.
If it's worth anything, Chrome doesn't set the cookies either if you use the <script
> appending method, but if you have a hidden <img
> with the same source, Chrome works in addition to the rest of the browsers (except, again, Safari)
Solution 2
Here is a solution which works:
http://anantgarg.com/2010/02/18/cross-domain-cookies-in-safari/
Solution 3
This might not work for everyone, but I came across this issue because I was serving a React App from a different host than the API, and the solution that ultimately worked was to use DNS:
Our client was being served from www.company-name.com and our API was on company-name.herokuapp.com. By making a CNAME record api.company-name.com --> company-name.herokuapp.com, and having our client use that subdomain for API calls, Safari stopped considering it a "third-party" cookie.
The upside is that there's very little code involved, and it's all using well-established stuff... The downside is that you need some control/ownership over the API host if you're going to use https - they need a certificate that's valid for the client domain, or users will get a certificate warning - so this wouldn't work (at least not for something end-user-facing) if the API in question isn't yours or a partner's.
Solution 4
Working method 2014-2016:
You have to do window.open to the domain / assign a cookie / close the popup, the domain is now safelisted.
Original post @ PHP multiple cookies not working on iPad / iPhone browser
Solution 5
There is a bit of an evil trick assuming they have flash installed.
I'm not sure if it still works or not, but Flash'es "Local Shared Objects" aka Flash Cookies could help you circumnavigate Safari's same-domain policies.
However, it may be complicated to implement, to say the least.
Additonally, LSO's are comming into the light as being a security nightmare:
So think carefully before using them.
Luca Matteis
http://scholar.google.com/citations?user=4shOPsgAAAAJ&hl=en
Updated on July 05, 2022Comments
-
Luca Matteis almost 2 years
I have to call domain A.com (which sets the cookies with http) from domain B.com. All I do on domain B.com is (javascript):
var head = document.getElementsByTagName("head")[0]; var script = document.createElement("script"); script.src = "A.com/setCookie?cache=1231213123"; head.appendChild(script);
This sets the cookie on A.com on every browser I've tested, except Safari. Amazingly this works in IE6, even without the P3P headers.
Is there any way to make this work in Safari?
-
Luca Matteis over 15 yearsNo, that has nothing to do with it.
-
Luca Matteis about 15 yearsAny idea how evernote.com does this? They use an Iframe for their bookmarklet thingy, which is able to set the cookies, somehow.
-
Paolo Bergantino about 15 yearsAre you sure evernote does it, and not that you have changed your default Safari settings?
-
Evan Fosmark about 15 yearsI fail to see how this helps at all.
-
Paolo Bergantino about 15 yearsWell I've dug into this issue plenty of times before and maybe they're giving the illusion it works but I'm 99.9% that Safari will not set the cookies unless that security setting is changed.
-
Paolo Bergantino about 15 yearsIf I knew I'd tell you... the point is it might seem like its working but they're obviously doing something else behind the scenes. You can't set a third party cookie on Safari with default settings. It's that simple.
-
Luca Matteis about 15 yearsSame on ie6 with default settings, but there's ways of getting around that.
-
Luca Matteis about 15 yearsAlso I just tested on Chrome and the script tag approach works fine (no need to use the img).
-
Luca Matteis about 15 yearsThe page would still be loaded in the iframe, making it undelivarable with Safari.
-
Zach about 15 yearsby "undelivarable" do you mean Safari will still not treat it as user navigation?
-
Jim about 15 yearsthe default type is 'text/javascript' so no
-
Luca Matteis about 15 yearsWhy was this Voted up! its not answering my question.
-
Luca Matteis about 15 yearsThere must be a hackish way to do this, like I said, evernote is able to do this.
-
Luca Matteis about 15 yearsHey Kent, yeah this is the solution I think, use a flash object... I wish I could give the correct answer to you, but it's stuck :(
-
Matty F almost 14 yearsIt was voted up because it's the correct answer, you can't do what you're requesting in Safari without doing a full-page redirect to the third-party domain.
-
thesmart over 13 yearsCan't you post to a hidden iframe, and in that iframe, set the cookie?
-
a1ashiish about 13 yearsIt does work, but you can't create the cookie via javascript, it must be create by the server on the form's response. +1
-
0x6A75616E about 12 yearsFYI, this no longer works on safari/firefox because of this: webpronews.com/…
-
streetlight about 11 yearsIt's my impression that this loophole has been closed in Webkit after the whole 'Google hacked Safari for ads' thing
-
RichVel over 10 years@streetlight - you are correct, the author of that blog post confirms here that this no longer works: anantgarg.com/2010/02/18/cross-domain-cookies-in-safari/…
-
RichVel over 10 years@wenbert - Possibly doesn't work any more, as it's similar to this answer: stackoverflow.com/a/2288555/992887 - needs testing on iOS 6 and 7
-
RichVel over 10 yearsOur developers looked at various workarounds but they seem fragile given Apple will close any such holes. Instead, they wrote a 'please register your device' page that sets a cookie when user presses a button. This page is only required once per device, not once per session, so it's not too much hassle for the user.
-
Michael Mikhjian almost 9 yearsI was able to provide a working solution (see below) or visit my post at stackoverflow.com/questions/16703176/…
-
Fuvizzo about 8 yearsI tried to follow your method but i didn't succed. A succed in creating a cookie in the y.com domain using document.cookie=... but I miss something else later... Could you give me some more hints about it? Thanx
-
Mark over 7 yearsIt seems as though this method will set the cookie for the domain y.com. If x.com wants to use this cookie later, from a non-iframe page, it will not be acessible.
-
Mark over 7 yearsThe code on this page works great for this: measurablewins.gregjxn.com/2014/02/…
-
lukio3 over 3 yearsThis answer helped me a lot and resolved my Safari cookies issue, thank you. Just to be more specific about the certificate warning, the SSL certificate should have the client domain as a listed SAN (Subject Alternate Name) for this to work. You will need to figure out how to do this with your certificate provider.
-
Chano almost 3 yearsI- I love you. I was about to redevelop my whole auth system until I found this.
-
Aravind almost 3 yearsThis saved my product launch ! Thank you so much!
-
Amin about 2 yearsAs long as "Prevent cross-site tracking" option in safari or chrome or any other browser is checked (which it is on ios) i doubt it cares about the target is visited once or not, it rejects any cross-site cookie.