[Webkit-unassigned] [Bug 217670] New: Safari blocking third party iframe cookies

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=217670

            Bug ID: 217670
           Summary: Safari blocking third party iframe cookies
           Product: WebKit
           Version: Safari 13
          Hardware: All
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: amol at cedar.com

We are running into a pretty unique issue regarding Safari blocking our third party cookies from an iframe. Here is our situation:

A user is authenticated into an application example.com and clicks on a tab. The tab renders a page that contains an iframe which is pointed to SiteA.com's launch URL to start an OAuth 2.0 SSO handshake. After successfully authenticating the user, SiteA.com will redirect the user to its home page. SiteA.com will set all cookies with SameSite set to None and Secure to True. As of now, Safari rejects the cookies so SiteA.com can not load on example.com in an iframe. We was hoping to use the Storage Access API but it requires the user to interact with the embedded app or SiteA.com first. However, this isn't possible in this use case because SiteA.com is not shown to the user until after they have been authenticated. Is there a workaround for this use case?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201013/387bffdb/attachment-0001.htm>