Apple Safari still not setting 3rd party domain CORS cookies?

9
votes

After several hours of settings options, headers, cookies on requests and responses in angular and jquery, CORS cookies with Apple Safari still dont work for us.

This page shows the same issue:

http://arunranga.com/examples/access-control/credentialedRequest.html

Hitting it with either PC or Mac Safari will not save the cookie and thus always reply:

 I do not know you or anyone like you so I am going to mark you with a Cookie :-)
 I do not know you or anyone like you so I am going to mark you with a Cookie :-)
 I do not know you or anyone like you so I am going to mark you with a Cookie :-)

Is there still, in 2015, Safari 7 or 8, no way to enable CORS cookies with Safari on a 3rd Party Domain? (Without simulating a visit to that domain?)

1
cookiessafaricross-domain

1 Answers

12
votes

Apple has closed all the loopholes and Safari (desktop and mobile) will block all 3rd-party cookies and storage data by default, and will limit 1st-party data based on several factors like tracking signatures, time since last visit, and active usage. There are no workarounds.

As of 2016:

Safari blocks 3rd-party cookies by default. The only way to allow 3rd-party cookies is to effectively make them 1st-party at some point by going directly to that domain, or using a redirect through that domain.

The localstorage and cookies API methods will work but the data can't be read across different domains. Localstorage does not work when in Safari Private mode.

As of 2018:

Safari's Intelligent Tracking Protection (ITP) now also removes cookies even if set with a 1st-party redirect, using custom whitelists and machine learning to only keep cookies for websites that users have interacted with recently. 1st-party cookies can still be set via 3rd-party Javascript.

As of 2019

ITP version 2+ limits 1st-party cookies set by 3rd-party Javascript. Only 1st-party cookies set by the 1st-party domain (either server-side or Javascript) will be kept.

As of 2020

ITP version 2.3+ blocks all 3rd-party access of any kind, and all 1st-party cookies/storage is deleted after 7 days from the last interaction with the site. 3rd-party limited access can be granted through the new Storage Access API.