Setting cross-domain cookies in Safari

javascript safari cookies cross-domain cross-site

101,762

Solution 1

From the Safari Developer FAQ:

Safari ships with a conservative cookie policy which limits cookie writes to only the pages chosen ("navigated to") by the user. This default conservative policy may confuse frame based sites that attempt to write cookies and fail.

I have found no way to get around this.

If it's worth anything, Chrome doesn't set the cookies either if you use the <script> appending method, but if you have a hidden <img> with the same source, Chrome works in addition to the rest of the browsers (except, again, Safari)

Solution 2

Here is a solution which works:

http://anantgarg.com/2010/02/18/cross-domain-cookies-in-safari/

Solution 3

This might not work for everyone, but I came across this issue because I was serving a React App from a different host than the API, and the solution that ultimately worked was to use DNS:

Our client was being served from www.company-name.com and our API was on company-name.herokuapp.com. By making a CNAME record api.company-name.com --> company-name.herokuapp.com, and having our client use that subdomain for API calls, Safari stopped considering it a "third-party" cookie.

The upside is that there's very little code involved, and it's all using well-established stuff... The downside is that you need some control/ownership over the API host if you're going to use https - they need a certificate that's valid for the client domain, or users will get a certificate warning - so this wouldn't work (at least not for something end-user-facing) if the API in question isn't yours or a partner's.

Solution 4

Working method 2014-2016:

You have to do window.open to the domain / assign a cookie / close the popup, the domain is now safelisted.

Original post @ PHP multiple cookies not working on iPad / iPhone browser

Solution 5

There is a bit of an evil trick assuming they have flash installed.

I'm not sure if it still works or not, but Flash'es "Local Shared Objects" aka Flash Cookies could help you circumnavigate Safari's same-domain policies.

Local Shared Object Tutorial

However, it may be complicated to implement, to say the least.

Wiki Article on LSO's

Additonally, LSO's are comming into the light as being a security nightmare:

So think carefully before using them.

View more solutions

101,762

Author by

Luca Matteis

http://scholar.google.com/citations?user=4shOPsgAAAAJ&hl=en

Updated on July 05, 2022

Comments

Luca Matteis almost 2 years
I have to call domain A.com (which sets the cookies with http) from domain B.com. All I do on domain B.com is (javascript):
```
var head = document.getElementsByTagName("head")[0];
var script = document.createElement("script");
script.src = "A.com/setCookie?cache=1231213123";
head.appendChild(script);
```
This sets the cookie on A.com on every browser I've tested, except Safari. Amazingly this works in IE6, even without the P3P headers.

Is there any way to make this work in Safari?
Luca Matteis over 15 years

No, that has nothing to do with it.
Luca Matteis about 15 years

Any idea how evernote.com does this? They use an Iframe for their bookmarklet thingy, which is able to set the cookies, somehow.
Paolo Bergantino about 15 years

Are you sure evernote does it, and not that you have changed your default Safari settings?
Evan Fosmark about 15 years

I fail to see how this helps at all.
Paolo Bergantino about 15 years

Well I've dug into this issue plenty of times before and maybe they're giving the illusion it works but I'm 99.9% that Safari will not set the cookies unless that security setting is changed.
Paolo Bergantino about 15 years

If I knew I'd tell you... the point is it might seem like its working but they're obviously doing something else behind the scenes. You can't set a third party cookie on Safari with default settings. It's that simple.
Luca Matteis about 15 years

Same on ie6 with default settings, but there's ways of getting around that.
Luca Matteis about 15 years

Also I just tested on Chrome and the script tag approach works fine (no need to use the img).
Luca Matteis about 15 years

The page would still be loaded in the iframe, making it undelivarable with Safari.
Zach about 15 years

by "undelivarable" do you mean Safari will still not treat it as user navigation?
Jim about 15 years

the default type is 'text/javascript' so no
Luca Matteis about 15 years

Why was this Voted up! its not answering my question.
Luca Matteis about 15 years

There must be a hackish way to do this, like I said, evernote is able to do this.
Luca Matteis about 15 years

Hey Kent, yeah this is the solution I think, use a flash object... I wish I could give the correct answer to you, but it's stuck :(
Matty F almost 14 years

It was voted up because it's the correct answer, you can't do what you're requesting in Safari without doing a full-page redirect to the third-party domain.
thesmart over 13 years

Can't you post to a hidden iframe, and in that iframe, set the cookie?
a1ashiish about 13 years

It does work, but you can't create the cookie via javascript, it must be create by the server on the form's response. +1
0x6A75616E about 12 years

FYI, this no longer works on safari/firefox because of this: webpronews.com/…
streetlight about 11 years

It's my impression that this loophole has been closed in Webkit after the whole 'Google hacked Safari for ads' thing
RichVel over 10 years

@streetlight - you are correct, the author of that blog post confirms here that this no longer works: anantgarg.com/2010/02/18/cross-domain-cookies-in-safari/…
RichVel over 10 years

@wenbert - Possibly doesn't work any more, as it's similar to this answer: stackoverflow.com/a/2288555/992887 - needs testing on iOS 6 and 7
RichVel over 10 years

Our developers looked at various workarounds but they seem fragile given Apple will close any such holes. Instead, they wrote a 'please register your device' page that sets a cookie when user presses a button. This page is only required once per device, not once per session, so it's not too much hassle for the user.
Michael Mikhjian almost 9 years

I was able to provide a working solution (see below) or visit my post at stackoverflow.com/questions/16703176/…
Fuvizzo about 8 years

I tried to follow your method but i didn't succed. A succed in creating a cookie in the y.com domain using document.cookie=... but I miss something else later... Could you give me some more hints about it? Thanx
Mark over 7 years

It seems as though this method will set the cookie for the domain y.com. If x.com wants to use this cookie later, from a non-iframe page, it will not be acessible.
Mark over 7 years

The code on this page works great for this: measurablewins.gregjxn.com/2014/02/…
lukio3 over 3 years

This answer helped me a lot and resolved my Safari cookies issue, thank you. Just to be more specific about the certificate warning, the SSL certificate should have the client domain as a listed SAN (Subject Alternate Name) for this to work. You will need to figure out how to do this with your certificate provider.
Chano almost 3 years

I- I love you. I was about to redevelop my whole auth system until I found this.
Aravind almost 3 years

This saved my product launch ! Thank you so much!
Amin about 2 years

As long as "Prevent cross-site tracking" option in safari or chrome or any other browser is checked (which it is on ios) i doubt it cares about the target is visited once or not, it rejects any cross-site cookie.