We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

본 사이트는 여러분의 사용자 경험을 개선하기 위해 유지 보수를 진행하는 동안 기능이 제한됩니다. 도움말로 문제가 해결되지 않고 질문을 하고 싶다면 Twitter의 @FirefoxSupport 및 Reddit의 /r/firefox 채널을 활용하세요.

Mozilla 도움말 검색

고객 지원 사기를 피하세요. 저희는 여러분께 절대로 전화를 걸거나 문자를 보내거나 개인 정보를 공유하도록 요청하지 않습니다. "악용 사례 신고"옵션을 사용하여 의심스러운 활동을 신고해 주세요.

자세히 살펴보기

iframes, sessions within iframes, CORs & 3rd Party Cookies - Any documentation, and interaction should allow cookies?

  • 1 답장
  • 1 이 문제를 만남
  • 12 보기
  • 최종 답변자: GerardoPcp04

more options

As a web developer, I create a lot of embeddable cross origin iframe widgets. Unfortunately, if you have configured the Firefox setting of "Block cookies and site data" to "Cookies from unvisited websites", my iframe widgets no longer work when used on a cross origin domain, as they rely on user sessions. Is there any documentation that defines what 3rd party cookies are? I understand some users want to block them (as I myself was doing until I realized that would break my iframe widgets), but what I don't understand is why the cookies are continually blocked if a user specifically interacts with an iframe widget. Doesn't user interaction imply it's now a visited website? I should think the first load of the iframe would trigger blocked cookies, but if the user interacts with the iframe content willingly (by clicking a button which triggers an ajax call, for example), any resulting cookies should be respected even if Firefox is set to block 3rd party cookies. I'm all for blocking 3rd party cookies that are loaded dynamically and are unwelcome, but if the user starts interacting with these iframes or controls, it would make sense to allow cookies, and that would be enough for my apps to not be broken if the user blocks 3rd party cookies. I think web developers need a solution for keeping their legitimate cross origin apps from being blocked by 3rd party cookie settings if users are interacting and using them.

I put together a sample application that shows how Firefox blocking third party cookies completely breaks sessions (since the cookie that is returned from the iframe call is discarded / not used).

https://github.com/own3mall/firefox-3rd-party-cookies-test

I created a basic test to see if I could get Firefox to maintain sessions with iframes using a cross origin domain as the source. Unfortunately, I could not. Is there any work-around, or an easy way to detect the user's 3rd party cookie settings so I can warn them? I'd still like to know what is considered 3rd party, and what happens if you visit the cross origin domain directly in another tab before interacting with that iframe. Is it still considered 3rd party then? What is the behavior and rules for this?

This seems like a serious problem that needs a better solution, and I like the interaction idea.

As a web developer, I create a lot of embeddable cross origin iframe widgets. Unfortunately, if you have configured the Firefox setting of "Block cookies and site data" to "Cookies from unvisited websites", my iframe widgets no longer work when used on a cross origin domain, as they rely on user sessions. Is there any documentation that defines what 3rd party cookies are? I understand some users want to block them (as I myself was doing until I realized that would break my iframe widgets), but what I don't understand is why the cookies are continually blocked if a user specifically interacts with an iframe widget. Doesn't user interaction imply it's now a visited website? I should think the first load of the iframe would trigger blocked cookies, but if the user interacts with the iframe content willingly (by clicking a button which triggers an ajax call, for example), any resulting cookies should be respected even if Firefox is set to block 3rd party cookies. I'm all for blocking 3rd party cookies that are loaded dynamically and are unwelcome, but if the user starts interacting with these iframes or controls, it would make sense to allow cookies, and that would be enough for my apps to not be broken if the user blocks 3rd party cookies. I think web developers need a solution for keeping their legitimate cross origin apps from being blocked by 3rd party cookie settings if users are interacting and using them. I put together a sample application that shows how Firefox blocking third party cookies completely breaks sessions (since the cookie that is returned from the iframe call is discarded / not used). https://github.com/own3mall/firefox-3rd-party-cookies-test I created a basic test to see if I could get Firefox to maintain sessions with iframes using a cross origin domain as the source. Unfortunately, I could not. Is there any work-around, or an easy way to detect the user's 3rd party cookie settings so I can warn them? I'd still like to know what is considered 3rd party, and what happens if you visit the cross origin domain directly in another tab before interacting with that iframe. Is it still considered 3rd party then? What is the behavior and rules for this? This seems like a serious problem that needs a better solution, and I like the interaction idea.

모든 댓글 (1)

more options

Hello, I think you could report it as a bug and talk directly with the programmers / developers: https://bugzilla.mozilla.org/ Create an account: https://bugzilla.mozilla.org/createaccount.cgi

Please copy the link of the open bug here and continue your query in bugzilla forum. Thank you

글쓴이 GerardoPcp04 수정일시