iframes, sessions within iframes, CORs - 3rd Party Cookies

[earnolmartin]

Hi All,

I posted this question on StackOverflow earlier today:

https://stackoverflow.com/questions/543 ... nt-conside

Is there any documentation from Mozilla or anyone else regarding sessions in iframes or what the definition of 3rd party cookies is? Basically, I have an embeddable iframe widget that can be used on any website. With the proper CORS headers set, I'm seeing strange behavior when an iframe first loads in terms of session management. If I try to start a new session and set a session variable when the iframe content initially loads on a cross-origin domain, Firefox will not send the cookie containing the session ID with the next request (even if withCredentials is set on the ajax call). However, if the user interacts with the iframe and an ajax request is made as a result of the user interaction, the subsequent calls will respect and use the session cookie retrieved from the first interacted call. Is this intended behavior?

Basically, if I load this iframe on https://domain.com (and the iframe is loaded and the user is not interacting with it):

Code: Select all

<iframe src="https://domain1.com/test.php"></iframe>

And test.php contains the following:

Code: Select all

<?php
       session_name("a_service");
       session_start();
       $_SESSION["yes"] = "yes";
?>

The next request won't send this original session cookie that contains the ID for the session where the "yes" session key has been set. However, if the user interacts with the iframe and clicks on a button that sends an AJAX request to https://domain1.com/test2.php which contains:

Code: Select all

<?php
       session_name("a_service");
       session_start();
       if($_SESSION["yes"] || $_SESSION["no"]){
            echo "SESSION WAS MAINTAINED!";
       }else{
            echo "SESSION was NOT maintained...";
            $_SESSION["no"] = "No";
       }
?>

"SESSION was NOT maintained..." is output, and any session key set (in this case the "no" key since the "yes" key has no value since no cookie was sent from the initial load of the iframe) will be maintained on subsequent calls. So if the user clicks on the same button again, and https://domain1.com/test2.php processes the AJAX request as before, this time the session is maintained and "SESSION WAS MAINTAINED" is output.

So, it would seem that session cookies are only sent once the user has interacted with the iframe? If the user hasn't interacted with the iframe, any cookies set on load are considered 3rd party and may be blocked by the browser if the cookies setting is set to "Block cookies and site data - Type blocked: Cookies from unvisited websites"? I'd just like clarification as to when this setting will make Firefox not send any cookies retrieved from load and when it will store and send the session cookie back to the server once the user has interacted with the iframe.

Any help is appreciated.

[earnolmartin]

Ok, forget what I said about user interaction. That seems to have nothing to do with it.

https://github.com/earnolmartin/iframe_ff_testing

I created a basic test to see if I could get Firefox to maintain sessions with iframes using a cross origin domain as the source. Unfortunately, I could not. Is there any work-around, or a way to detect the user's 3rd party cookie settings so I can warn them? I'd still like to know what is considered 3rd party, and what happens if you visit the cross origin domain directly in another tab before interacting with that iframe. Is it still considered 3rd party then? What is the behavior and rules for this?