问题
Chrome is not allowing a child iframe to read its own cookies.
I have a parent webpage with a child iframe:
- parent at
https://first-site.com - child at
<iframe src="https://second-site.com">(inside of parent) - cookie set with
- path: '/'
- secure: true
- httpOnly: false
- domain: '.second-site.com'
I control both sites, and I want the iframe to perform an operation within the iframe that requires reading cookies for .second-site.com. The outer parent doesn't need to know anything about this.
It works in all browsers except for Chrome.
Chrome is simply not making the child page's own cookies available to the child.
Visiting the child page in its own window and performing the operation works in all browsers, including Chrome.
I've tried both of these options in all permutations:
- Set
secure:falseorsecure:truefor the cookie - Set
sandbox="allow-same-origin allow-scripts"for the iframe, or remove thesandboxattribute
What is Chrome doing differently, and how can an iframe in Chrome access its own cookies?
回答1:
There is a relatively new cookie attribute called SameSite that was being set by my server automatically. Disabling this (while retaining the settings listed in the question) allows the iframe access to its own cookies in Chrome.
See also Chrome feature status & IETF draft
来源:https://stackoverflow.com/questions/45094712/iframe-not-reading-cookies-in-chrome