Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Pomoc přepytać

Hladajće so wobšudstwa pomocy. Njenamołwimy was ženje, telefonowe čisło zawołać, SMS pósłać abo wosobinske informacije přeradźić. Prošu zdźělće podhladnu aktiwitu z pomocu nastajenja „Znjewužiwanje zdźělić“.

Dalše informacije

iframes, sessions within iframes, CORs & 3rd Party Cookies - Any documentation, and interaction should allow cookies?

  • 1 wotmołwa
  • 1 ma tutón problem
  • 12 napohladow
  • Poslednja wotmołwa wot GerardoPcp04

more options

As a web developer, I create a lot of embeddable cross origin iframe widgets. Unfortunately, if you have configured the Firefox setting of "Block cookies and site data" to "Cookies from unvisited websites", my iframe widgets no longer work when used on a cross origin domain, as they rely on user sessions. Is there any documentation that defines what 3rd party cookies are? I understand some users want to block them (as I myself was doing until I realized that would break my iframe widgets), but what I don't understand is why the cookies are continually blocked if a user specifically interacts with an iframe widget. Doesn't user interaction imply it's now a visited website? I should think the first load of the iframe would trigger blocked cookies, but if the user interacts with the iframe content willingly (by clicking a button which triggers an ajax call, for example), any resulting cookies should be respected even if Firefox is set to block 3rd party cookies. I'm all for blocking 3rd party cookies that are loaded dynamically and are unwelcome, but if the user starts interacting with these iframes or controls, it would make sense to allow cookies, and that would be enough for my apps to not be broken if the user blocks 3rd party cookies. I think web developers need a solution for keeping their legitimate cross origin apps from being blocked by 3rd party cookie settings if users are interacting and using them.

I put together a sample application that shows how Firefox blocking third party cookies completely breaks sessions (since the cookie that is returned from the iframe call is discarded / not used).

https://github.com/own3mall/firefox-3rd-party-cookies-test

I created a basic test to see if I could get Firefox to maintain sessions with iframes using a cross origin domain as the source. Unfortunately, I could not. Is there any work-around, or an easy way to detect the user's 3rd party cookie settings so I can warn them? I'd still like to know what is considered 3rd party, and what happens if you visit the cross origin domain directly in another tab before interacting with that iframe. Is it still considered 3rd party then? What is the behavior and rules for this?

This seems like a serious problem that needs a better solution, and I like the interaction idea.

As a web developer, I create a lot of embeddable cross origin iframe widgets. Unfortunately, if you have configured the Firefox setting of "Block cookies and site data" to "Cookies from unvisited websites", my iframe widgets no longer work when used on a cross origin domain, as they rely on user sessions. Is there any documentation that defines what 3rd party cookies are? I understand some users want to block them (as I myself was doing until I realized that would break my iframe widgets), but what I don't understand is why the cookies are continually blocked if a user specifically interacts with an iframe widget. Doesn't user interaction imply it's now a visited website? I should think the first load of the iframe would trigger blocked cookies, but if the user interacts with the iframe content willingly (by clicking a button which triggers an ajax call, for example), any resulting cookies should be respected even if Firefox is set to block 3rd party cookies. I'm all for blocking 3rd party cookies that are loaded dynamically and are unwelcome, but if the user starts interacting with these iframes or controls, it would make sense to allow cookies, and that would be enough for my apps to not be broken if the user blocks 3rd party cookies. I think web developers need a solution for keeping their legitimate cross origin apps from being blocked by 3rd party cookie settings if users are interacting and using them. I put together a sample application that shows how Firefox blocking third party cookies completely breaks sessions (since the cookie that is returned from the iframe call is discarded / not used). https://github.com/own3mall/firefox-3rd-party-cookies-test I created a basic test to see if I could get Firefox to maintain sessions with iframes using a cross origin domain as the source. Unfortunately, I could not. Is there any work-around, or an easy way to detect the user's 3rd party cookie settings so I can warn them? I'd still like to know what is considered 3rd party, and what happens if you visit the cross origin domain directly in another tab before interacting with that iframe. Is it still considered 3rd party then? What is the behavior and rules for this? This seems like a serious problem that needs a better solution, and I like the interaction idea.

Wšě wotmołwy (1)

more options

Hello, I think you could report it as a bug and talk directly with the programmers / developers: https://bugzilla.mozilla.org/ Create an account: https://bugzilla.mozilla.org/createaccount.cgi

Please copy the link of the open bug here and continue your query in bugzilla forum. Thank you

Wot GerardoPcp04 změnjeny