Chrome 3rd party cookie in iframe (SameSite=None; Secure)

1.3k views Asked by At

Just like everyone else, I'm scrambling to support the coming 3rd-party-cookie change in Chrome. My users (other websites on other domains) include my webpage in an iframe. In my page I set a cookie (which only the iframe needs to see in the context of that parent website, so not actually a 3rd party cookie).

This works fine in Firefox (which presumably already has 3rd party cookies disabled) but when using Chrome in Incognito mode, with 3rd party cookies disabled, I can't set my cookie.

Below is an example. If you reload the parent, the cookie is lost (actually it never gets set, even before the reload). There are no warnings in the Chrome dev tools, but you can see in the Application tab that the cookie never gets set.

Any ideas why this works in Firefox but not Chrome incognito with 3rd party cookies disabled? Any way to make this work?

Parent page (domain1.com):

<html>
    <head>
        <style>
            iframe.myframe {
                width: 800px;
                height: 500px;
            }
        </style>
    </head>
    <body>
        <iframe class="myframe" src="https://domain2.com/my_thing.html"/>
    </body>
</html>

Child page (domain2.com):

<html>
    <head>
        <style> body{ background: blue; } </style>
    </head>
    <body>
        <script>
            let num = getCookie('num');
            console.log('Pre-change: '+num);
            num = (parseInt(num)||0) + 1;

            document.cookie = "num="+num+"; SameSite=None; Secure";

            console.log('Post-change: '+num);


            function getCookie(cname) {
                let name = cname + "=";
                let ca = document.cookie.split(';');
                for(let i = 0; i < ca.length; i++) {
                    let c = ca[i];
                    while (c.charAt(0) == ' ') {
                        c = c.substring(1);
                    }
                    if (c.indexOf(name) == 0) {
                        return c.substring(name.length, c.length);
                    }
                }
                return "";
            }
        </script>
    </body>
</html> 
1

There are 1 answers

1
logidelic On

Finally realized that the answer is to add the Partitioned param when setting the cookie, as in:

document.cookie = "num="+num+"; SameSite=None; Secure; Partitioned";

It seems that Firefox does this implicitly, hence the different behavior.