Safari’s iFrame cookie setting problem

My current project is a Facebook application that runs as an iFrame ‘inside’ of a Facebook page.
We use a limited number of cookies to reduce the number of calls to Facebook and what we believe, increase the efficiency of the application.

Internet Explorer starting with version 6 requires entities using iFrames to send a header called p3p to describe the privacy policy of the page loaded inside the iFrame. This is a bit silly because Internet Explorer will trust whatever you send it and let the iFrame do whatever it needs to do with cookies. You can generate your own p3p header using these tools from IBM Alphaworks.

Safari, in an attempt to simplify matters, makes them much more complex. Its default security settings for cookies stipulate that the browser will accept cookies only from the sites that you navigate to. So if you navigate to, any attempt to set a cookie from an iFrame that is not under the domain will fail. Possible solutions:

  • Tell your users they must enable cookies to use your app. Still paranoid users will scoff as you are telling them to change security settings in their browsers
  • Use URL rewriting
  • Turn users of Safari away, telling them to use Firefox instead

Either way, Safari makes life that much less nicer.

Comments are closed.