Cookies/Session in iframe - where I only control the iframe content

#1

This is a webdev question, and it is not directly related to Brave, but Brave is one of the only browsers with default block of third party cookies, so here goes:
My problem is when my app is forced into an iframe, e.g., Office Add-Ons, as I use cookies to store session. I don’t need to remember session from another parent url, creating a new session is fine, but the session must persist inside the iframe.
In other browsers where third party cookies aren’t blocked this isn’t a problem, there set-cookie works fine.

I also don’t understand how normal OAuth wold work in the iframe scenario; first of all one must use a popup - or else the iframe should be blocked by X-Frame-Options: Deny from OAuth server - and popup requires user interaction to not be blocked.
Implicit flow (hidden iframe) won’t work because of both X-Frame-Options: Deny and blocked third party cookies, so every hour (if default token timeout) there must be a new popup, which requires user interaction. Technically possible, but not very user friendly.

0 Likes