Safari 6 by default block cookies from iframe of not-visited domain

[Raimonds Simanovskis]

Just got the following annoying bug when users use Safari 6 to access eazyBI for JIRA OnDemand add-on.

By default Safari 6 on Mac has setting "Block cookies" as "From third parties and advertisers". It means that if some iframe tries to set cookie but you have not visited domain of this iframe as a main page in your browser then Safari will not accept cookies from this iframe.

When JIRA OnDemand user accesses eazyBI add-on page then the first eazyBI page from host aod.eazybi.com is loaded in iframe and it sets session cookie. When user navigates to other pages in this iframe then I use this session cookie to identify user.

But if user has never visited eazybi.com main page in Safari browser then Safari is not accepting cookies from aod.eazybi.com in ifram :(

There are many questions in Stack Overflow about this issue but no good solutions for Safari 6 (there were some workarounds in previous Safari versions). Does anyone has a good solution for this problem?

And do others use cookies in their iframes as well? Then you will get the same issue with Safari 6 users...

Kind regards,

Raimonds Simanovskis

[Jonathon Creenaune]

Raimonds, we've encountered this issue when building the who's looking plugin. We've also encountered similar issues in IE 8 & 9, and firefox was threatening at one point to block all third party cookies - see http://www.computerworld.com/s/article/9240218/Mozilla_again_postpones_Firefox_third_party_cookie_blocking_this_time_for_months.

After investigating cookies, we've decided the best option is to implement a separate signed http header to transmit auth information ... ie don't use the cookie at all. This pattern has been implemented in ac-play https://bitbucket.org/atlassian/atlassian-connect-play-java . The basic pattern is identical to how cookies work:

- the remote addon issues a secure token to the page when it's served

- the remote page sends this token as a header in all ajax requests to its own server; the server validates this token on all requests

- the token expires after a fixed timeout (eg 10 minutes)

There is a little more work for the addon developer (they need to ensure they send the header on each ajax request), however it's the only reliable cross-browser solution.

We're working on documentation, and adding the same pattern to atlassian-connect-express (our node.js connect toolkit).

--
You received this message because you are subscribed to the Google Groups "Atlassian Connect Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to atlassian-connec...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Freddy Wang]

With the release of Safari 7, not only 3rd Party cookie is being blocked. Local Storage as well as WebDB, any kind of website data are being blocked. When you go to Safari Preferences (CMD+comma), Under privacy tab, on Safari 7, it now says : "Block cookies *and other website*", originally was "Block cookies". That confirms the changes.