Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Zoeken in Support

Vermijd ondersteuningsscams. We zullen u nooit vragen een telefoonnummer te bellen, er een sms naar te sturen of persoonlijke gegevens te delen. Meld verdachte activiteit met de optie ‘Misbruik melden’.

Meer info

Deze conversatie is gearchiveerd. Stel een nieuwe vraag als u hulp nodig hebt.

iframes, sessions within iframes, CORs & 3rd Party Cookies - Any documentation, and interaction should allow cookies?

  • 1 antwoord
  • 1 heeft dit probleem
  • 12 weergaven
  • Laatste antwoord van GerardoPcp04

more options

As a web developer, I create a lot of embeddable cross origin iframe widgets. Unfortunately, if you have configured the Firefox setting of "Block cookies and site data" to "Cookies from unvisited websites", my iframe widgets no longer work when used on a cross origin domain, as they rely on user sessions. Is there any documentation that defines what 3rd party cookies are? I understand some users want to block them (as I myself was doing until I realized that would break my iframe widgets), but what I don't understand is why the cookies are continually blocked if a user specifically interacts with an iframe widget. Doesn't user interaction imply it's now a visited website? I should think the first load of the iframe would trigger blocked cookies, but if the user interacts with the iframe content willingly (by clicking a button which triggers an ajax call, for example), any resulting cookies should be respected even if Firefox is set to block 3rd party cookies. I'm all for blocking 3rd party cookies that are loaded dynamically and are unwelcome, but if the user starts interacting with these iframes or controls, it would make sense to allow cookies, and that would be enough for my apps to not be broken if the user blocks 3rd party cookies. I think web developers need a solution for keeping their legitimate cross origin apps from being blocked by 3rd party cookie settings if users are interacting and using them.

I put together a sample application that shows how Firefox blocking third party cookies completely breaks sessions (since the cookie that is returned from the iframe call is discarded / not used).

https://github.com/own3mall/firefox-3rd-party-cookies-test

I created a basic test to see if I could get Firefox to maintain sessions with iframes using a cross origin domain as the source. Unfortunately, I could not. Is there any work-around, or an easy way to detect the user's 3rd party cookie settings so I can warn them? I'd still like to know what is considered 3rd party, and what happens if you visit the cross origin domain directly in another tab before interacting with that iframe. Is it still considered 3rd party then? What is the behavior and rules for this?

This seems like a serious problem that needs a better solution, and I like the interaction idea.

As a web developer, I create a lot of embeddable cross origin iframe widgets. Unfortunately, if you have configured the Firefox setting of "Block cookies and site data" to "Cookies from unvisited websites", my iframe widgets no longer work when used on a cross origin domain, as they rely on user sessions. Is there any documentation that defines what 3rd party cookies are? I understand some users want to block them (as I myself was doing until I realized that would break my iframe widgets), but what I don't understand is why the cookies are continually blocked if a user specifically interacts with an iframe widget. Doesn't user interaction imply it's now a visited website? I should think the first load of the iframe would trigger blocked cookies, but if the user interacts with the iframe content willingly (by clicking a button which triggers an ajax call, for example), any resulting cookies should be respected even if Firefox is set to block 3rd party cookies. I'm all for blocking 3rd party cookies that are loaded dynamically and are unwelcome, but if the user starts interacting with these iframes or controls, it would make sense to allow cookies, and that would be enough for my apps to not be broken if the user blocks 3rd party cookies. I think web developers need a solution for keeping their legitimate cross origin apps from being blocked by 3rd party cookie settings if users are interacting and using them. I put together a sample application that shows how Firefox blocking third party cookies completely breaks sessions (since the cookie that is returned from the iframe call is discarded / not used). https://github.com/own3mall/firefox-3rd-party-cookies-test I created a basic test to see if I could get Firefox to maintain sessions with iframes using a cross origin domain as the source. Unfortunately, I could not. Is there any work-around, or an easy way to detect the user's 3rd party cookie settings so I can warn them? I'd still like to know what is considered 3rd party, and what happens if you visit the cross origin domain directly in another tab before interacting with that iframe. Is it still considered 3rd party then? What is the behavior and rules for this? This seems like a serious problem that needs a better solution, and I like the interaction idea.

Alle antwoorden (1)

more options

Hello, I think you could report it as a bug and talk directly with the programmers / developers: https://bugzilla.mozilla.org/ Create an account: https://bugzilla.mozilla.org/createaccount.cgi

Please copy the link of the open bug here and continue your query in bugzilla forum. Thank you

Bewerkt door GerardoPcp04 op