Raimonds, we've encountered this issue when building the who's looking plugin. We've also encountered similar issues in IE 8 & 9, and firefox was threatening at one point to block all third party cookies - see
http://www.computerworld.com/s/article/9240218/Mozilla_again_postpones_Firefox_third_party_cookie_blocking_this_time_for_months.
After investigating cookies, we've decided the best option is to implement a separate signed http header to transmit auth information ... ie don't use the cookie at all. This pattern has been implemented in ac-play
https://bitbucket.org/atlassian/atlassian-connect-play-java . The basic pattern is identical to how cookies work:
- the remote addon issues a secure token to the page when it's served
- the remote page sends this token as a header in all ajax requests to its own server; the server validates this token on all requests
- the token expires after a fixed timeout (eg 10 minutes)
There is a little more work for the addon developer (they need to ensure they send the header on each ajax request), however it's the only reliable cross-browser solution.
We're working on documentation, and adding the same pattern to atlassian-connect-express (our node.js connect toolkit).