IFrame Cookies

1-safari-iframe-cookie-work-around.md

IFrames and Cookies

Browsers handle cookies issued by IFrames in different ways. Some browsers don't need any special treatment. But others require more work.

Largely, there are two required fixes:

P3P Header

In most browsers, setting the P3P header will allow iframes to set cookies:

P3P: CP=HONK

Safari POST Fix

Safari requires either some user interaction (for example if they follow a link inside your iframe, you can then set cookies on that second request). But you can also bypass this restriction by triggering a POST to a hidden iframe using JavaScript.

Example

The attached example uses both these techniques and show's the PHP code necessary to do the same. Note, in this case the hidden form is POSTing to the currently loaded page. This is not optimal, first, because the currently loaded page may not support a POST. And second, because you may be able to load a lighter weight page that just issues cookies and does not otherwise contain any content.

Live Test Case.

example.php

<?php
  header('P3P: CP=HONK');
  setcookie('test_cookie', '1', 0, '/');
?>
<div id="test_cookie" style="position: absolute; top: -10000px"></div>
<script>
  window.setTimeout(function() {
    if (document.cookie.indexOf('test_cookie=1') < 0) {
      var      
        name = 'test_cookie',
        div = document.getElementById(name),
        iframe = document.createElement('iframe'),
        form = document.createElement('form');

      iframe.name = name;
      iframe.src = 'javascript:false';
      div.appendChild(iframe);

      form.action = location.toString();
      form.method = 'POST';
      form.target = name;
      div.appendChild(form);

      form.submit();
    }
  }, 10);
</script>