I'm the provider of an iframe-embedded app that relies on (third-party) cookies. I use ITP for ensuring I have storage access. Even though hasStorageAccess() returns true, I detect cookies are not persisted. This happens because of the old WebKit "you need to have had first-party interaction before third-party cookies works" (see e.g. 218396). Letting the user do first-party interaction indeed solves the problem. However, Safari (15.6.1) seems to forget the first-party interaction on every browser restart (even if the first party interaction was only minutes earlier). This means the user needs to go through the entire first-party interaction every time they start their browser, which is obviously time consuming. Is this expected? I have the impression that this is relatively recent?
<rdar://problem/100430679>
I'm having difficulty reproducing this on trunk WebKit. Safari appears to remember first-party interaction each time I request storage access from a third party iframe, even after closing the browser.
I tried with Safari 16.2, and I still experience the problem. After going through the Storage Access API, the code I use tries to set a (client-side) cookie in JavaScript, and read it back immediately. If this fails, I assume cookie storage doesn't work, and that this is due to missing first-party interaction. When I do this on a fresh browser instance, the check always fails. If I first go to our first-party website, sign in and out (to get first-party interaction), and then do the same third-party flow, it works fine.
It looks like storage access and another cookie set is required to access document.cookie in a third-party iframe. Could your issue be that the cookies you set on your first-party website aren’t persisted after Safari closes? It’s possible we should still change some behavior here though.
Hi! We have a comprehensive guide under “How To Use the Storage Access API” here: https://webkit.org/blog/11545/updates-to-the-storage-access-api/ See if any of those steps and explanations help you narrow this down. Thanks!
@Charlie I was assuming the 'first-party interaction with a cookie' was kept track of internally in Safari. I didn't consider it was related to the actual cookie. The cookie we were setting was indeed defaulting to session lifetime, so was not persisted across restarts. Setting a cookie with a timeout indeed seems to solve the issue. thanks!
(In reply to Remko Tronçon from comment #6) > @Charlie > > I was assuming the 'first-party interaction with a cookie' was kept track of > internally in Safari. I didn't consider it was related to the actual cookie. > > The cookie we were setting was indeed defaulting to session lifetime, so was > not persisted across restarts. Setting a cookie with a timeout indeed seems > to solve the issue. > > thanks! It doesn’t have to do with user interaction as first party but with the underlying cookie policy. Step 4 in the guide I linked to: “Set cookies when you are first-party. This establishes the website as “visited” for the purposes of the underlying cookie policy. Third parties without cookies cannot set cookies in Safari and never have since Safari 1.0 in 2003. This means you cannot use the Storage Access API as third-party until you have set at least one cookie as first party.”