Avatar for Username

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

Learn More

此討論串已被封存。 如果您有需要幫助,請新增一個新問題

iframes, sessions within iframes, CORs & 3rd Party Cookies - Any documentation, and interaction should allow cookies?

  • 1 回覆
  • 1 有這個問題
  • 15 次檢視
  • 最近回覆由 GerardoPcp04

own3mall
own3mall
more options

As a web developer, I create a lot of embeddable cross origin iframe widgets. Unfortunately, if you have configured the Firefox setting of "Block cookies and site data" to "Cookies from unvisited websites", my iframe widgets no longer work when used on a cross origin domain, as they rely on user sessions. Is there any documentation that defines what 3rd party cookies are? I understand some users want to block them (as I myself was doing until I realized that would break my iframe widgets), but what I don't understand is why the cookies are continually blocked if a user specifically interacts with an iframe widget. Doesn't user interaction imply it's now a visited website? I should think the first load of the iframe would trigger blocked cookies, but if the user interacts with the iframe content willingly (by clicking a button which triggers an ajax call, for example), any resulting cookies should be respected even if Firefox is set to block 3rd party cookies. I'm all for blocking 3rd party cookies that are loaded dynamically and are unwelcome, but if the user starts interacting with these iframes or controls, it would make sense to allow cookies, and that would be enough for my apps to not be broken if the user blocks 3rd party cookies. I think web developers need a solution for keeping their legitimate cross origin apps from being blocked by 3rd party cookie settings if users are interacting and using them.

I put together a sample application that shows how Firefox blocking third party cookies completely breaks sessions (since the cookie that is returned from the iframe call is discarded / not used).

https://github.com/own3mall/firefox-3rd-party-cookies-test

I created a basic test to see if I could get Firefox to maintain sessions with iframes using a cross origin domain as the source. Unfortunately, I could not. Is there any work-around, or an easy way to detect the user's 3rd party cookie settings so I can warn them? I'd still like to know what is considered 3rd party, and what happens if you visit the cross origin domain directly in another tab before interacting with that iframe. Is it still considered 3rd party then? What is the behavior and rules for this?

This seems like a serious problem that needs a better solution, and I like the interaction idea.

As a web developer, I create a lot of embeddable cross origin iframe widgets. Unfortunately, if you have configured the Firefox setting of "Block cookies and site data" to "Cookies from unvisited websites", my iframe widgets no longer work when used on a cross origin domain, as they rely on user sessions. Is there any documentation that defines what 3rd party cookies are? I understand some users want to block them (as I myself was doing until I realized that would break my iframe widgets), but what I don't understand is why the cookies are continually blocked if a user specifically interacts with an iframe widget. Doesn't user interaction imply it's now a visited website? I should think the first load of the iframe would trigger blocked cookies, but if the user interacts with the iframe content willingly (by clicking a button which triggers an ajax call, for example), any resulting cookies should be respected even if Firefox is set to block 3rd party cookies. I'm all for blocking 3rd party cookies that are loaded dynamically and are unwelcome, but if the user starts interacting with these iframes or controls, it would make sense to allow cookies, and that would be enough for my apps to not be broken if the user blocks 3rd party cookies. I think web developers need a solution for keeping their legitimate cross origin apps from being blocked by 3rd party cookie settings if users are interacting and using them. I put together a sample application that shows how Firefox blocking third party cookies completely breaks sessions (since the cookie that is returned from the iframe call is discarded / not used). https://github.com/own3mall/firefox-3rd-party-cookies-test I created a basic test to see if I could get Firefox to maintain sessions with iframes using a cross origin domain as the source. Unfortunately, I could not. Is there any work-around, or an easy way to detect the user's 3rd party cookie settings so I can warn them? I'd still like to know what is considered 3rd party, and what happens if you visit the cross origin domain directly in another tab before interacting with that iframe. Is it still considered 3rd party then? What is the behavior and rules for this? This seems like a serious problem that needs a better solution, and I like the interaction idea.

所有回覆 (1)

GerardoPcp04
GerardoPcp04
  • Top 10 Contributor
more options

Hello, I think you could report it as a bug and talk directly with the programmers / developers: https://bugzilla.mozilla.org/ Create an account: https://bugzilla.mozilla.org/createaccount.cgi

Please copy the link of the open bug here and continue your query in bugzilla forum. Thank you

由 GerardoPcp04 於 修改