Question

70

iframe not reading cookies in Chrome

rated 0 times [ 72] [ 2] / answers: 1 / hits: 61312 / 7 Years ago, fri, july 14, 2017, 12:00:00

Chrome is not allowing a child iframe to read its own cookies.

I have a parent webpage with a child iframe:

parent at https://first-site.com

child at <iframe src=https://second-site.com> (inside of parent)

cookie set with
- path: '/'
- secure: true
- httpOnly: false
- domain: '.second-site.com'

I control both sites, and I want the iframe to perform an operation within the iframe that requires reading cookies for .second-site.com. The outer parent doesn't need to know anything about this.

It works in all browsers except for Chrome.

Chrome is simply not making the child page's own cookies available to the child.

Visiting the child page in its own window and performing the operation works in all browsers, including Chrome.

I've tried both of these options in all permutations:

Set secure:false or secure:true for the cookie

Set sandbox=allow-same-origin allow-scripts for the iframe, or remove the sandbox attribute

What is Chrome doing differently, and how can an iframe in Chrome access its own cookies?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

arthur

Add To Favorites

Follow

Total Points: 729

Total Questions: 107

Total Answers: 109

Location: China

Member since Mon, Aug 22, 2022

2 Years ago

arthur questions

1 Error: Unexpected token (Note that you need plugins to import files that are not JavaScript) rollup vue package

Thu, Sep 2, 21, 00:00, 3 Years ago

1 Formik & Yup: How to validate if the provided date is eighteen years old?

Mon, Oct 19, 20, 00:00, 4 Years ago

1 Angular 9 how to use debouncetime for input change event (keyup)

Thu, Apr 30, 20, 00:00, 4 Years ago

1 Swiper and current page index

Wed, Feb 19, 20, 00:00, 4 Years ago

1 Google Maps API Billing not Enabled Error - Billing not open

Fri, Jan 10, 20, 00:00, 4 Years ago

View All

answered 7 Years ago anais · Accepted Answer

There is a relatively new cookie attribute called SameSite that was being set by my server automatically. Disabling this (while retaining the settings listed in the question) allows the iframe access to its own cookies in Chrome.

See also Chrome feature status & IETF draft

UPDATE Aug 2020

Chrome now blocks cookies without SameSite set, so you need to explicitly set it to samesite=none and secure=true.