Ce site disposera de fonctionnalités limitées pendant que nous effectuons des opérations de maintenance en vue de vous proposer un meilleur service. Si un article ne règle pas votre problème et que vous souhaitez poser une question, notre communauté d’assistance est prête à vous répondre via @FirefoxSupport sur Twitter, et /r/firefox sur Reddit.

Avatar for Username

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Ce sujet de discussion a été archivé. Veuillez poser une nouvelle question si vous avez besoin d’aide.

iframes, sessions within iframes, CORs & 3rd Party Cookies - Any documentation, and interaction should allow cookies?

  • 1 réponse
  • 1 a ce problème
  • 12 vues
  • Dernière réponse par GerardoPcp04

own3mall
own3mall
more options

As a web developer, I create a lot of embeddable cross origin iframe widgets. Unfortunately, if you have configured the Firefox setting of "Block cookies and site data" to "Cookies from unvisited websites", my iframe widgets no longer work when used on a cross origin domain, as they rely on user sessions. Is there any documentation that defines what 3rd party cookies are? I understand some users want to block them (as I myself was doing until I realized that would break my iframe widgets), but what I don't understand is why the cookies are continually blocked if a user specifically interacts with an iframe widget. Doesn't user interaction imply it's now a visited website? I should think the first load of the iframe would trigger blocked cookies, but if the user interacts with the iframe content willingly (by clicking a button which triggers an ajax call, for example), any resulting cookies should be respected even if Firefox is set to block 3rd party cookies. I'm all for blocking 3rd party cookies that are loaded dynamically and are unwelcome, but if the user starts interacting with these iframes or controls, it would make sense to allow cookies, and that would be enough for my apps to not be broken if the user blocks 3rd party cookies. I think web developers need a solution for keeping their legitimate cross origin apps from being blocked by 3rd party cookie settings if users are interacting and using them.

I put together a sample application that shows how Firefox blocking third party cookies completely breaks sessions (since the cookie that is returned from the iframe call is discarded / not used).

https://github.com/own3mall/firefox-3rd-party-cookies-test

I created a basic test to see if I could get Firefox to maintain sessions with iframes using a cross origin domain as the source. Unfortunately, I could not. Is there any work-around, or an easy way to detect the user's 3rd party cookie settings so I can warn them? I'd still like to know what is considered 3rd party, and what happens if you visit the cross origin domain directly in another tab before interacting with that iframe. Is it still considered 3rd party then? What is the behavior and rules for this?

This seems like a serious problem that needs a better solution, and I like the interaction idea.

As a web developer, I create a lot of embeddable cross origin iframe widgets. Unfortunately, if you have configured the Firefox setting of "Block cookies and site data" to "Cookies from unvisited websites", my iframe widgets no longer work when used on a cross origin domain, as they rely on user sessions. Is there any documentation that defines what 3rd party cookies are? I understand some users want to block them (as I myself was doing until I realized that would break my iframe widgets), but what I don't understand is why the cookies are continually blocked if a user specifically interacts with an iframe widget. Doesn't user interaction imply it's now a visited website? I should think the first load of the iframe would trigger blocked cookies, but if the user interacts with the iframe content willingly (by clicking a button which triggers an ajax call, for example), any resulting cookies should be respected even if Firefox is set to block 3rd party cookies. I'm all for blocking 3rd party cookies that are loaded dynamically and are unwelcome, but if the user starts interacting with these iframes or controls, it would make sense to allow cookies, and that would be enough for my apps to not be broken if the user blocks 3rd party cookies. I think web developers need a solution for keeping their legitimate cross origin apps from being blocked by 3rd party cookie settings if users are interacting and using them. I put together a sample application that shows how Firefox blocking third party cookies completely breaks sessions (since the cookie that is returned from the iframe call is discarded / not used). https://github.com/own3mall/firefox-3rd-party-cookies-test I created a basic test to see if I could get Firefox to maintain sessions with iframes using a cross origin domain as the source. Unfortunately, I could not. Is there any work-around, or an easy way to detect the user's 3rd party cookie settings so I can warn them? I'd still like to know what is considered 3rd party, and what happens if you visit the cross origin domain directly in another tab before interacting with that iframe. Is it still considered 3rd party then? What is the behavior and rules for this? This seems like a serious problem that needs a better solution, and I like the interaction idea.

Toutes les réponses (1)

GerardoPcp04
GerardoPcp04
  • Top 25 Contributor
more options

Hello, I think you could report it as a bug and talk directly with the programmers / developers: https://bugzilla.mozilla.org/ Create an account: https://bugzilla.mozilla.org/createaccount.cgi

Please copy the link of the open bug here and continue your query in bugzilla forum. Thank you

Modifié le par GerardoPcp04