Homam's Mind

Wednesday, February 10, 2010

iframe Cookies in Safari

Older Hyzonia games depend on session and authentication cookies. This dependency has been fixed in the newer games by storing session ID in JavaScript variables. The cookie independent services explicitly require a session ID to be sent by their clients.

In this post I am not going to dig into the details of session management in Hyzonia platform, I just want to highlight a series of problems in the old schema that led us to redesign the session management behavior.

Hyzonia games can be embedded in publishers websites using a piece of code we call Hyzobox. Hyzobox basically renders an iframe in the webpage. The internet domain where the actual game is hosted could be different from the publisher's domain. If you have ever tried this before you know that we gonna have a lot of cross site security issues.

To address cross site scripting issues we developed Hyzobox In/Out API. A publisher can control certain things in the game and be notified about the events that are occurring inside the game using In/Out. It is a JavaScript based solution and strangely is widely supported in all major browsers. The In/Out API is not made public yet, but we are using it extensively in www.hyzogames.com. For instance whenever you win in a game Hyzogames.com will be notified about this event (winning) and may show you a message box.

But cookies are another issue. Different browsers have way different behaviors when it comes to handling cookies in iframes.  For starters for it  to works in IE you need a P3P header like this:

CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"

There's a lot to say here, I have a long standing view that P3P is generally useful but this kind of usage is pointless. Anyway for now just add it in your response and relax.

But still Safari rejects the cookies that iframes try to write. The rationale here is that Safari only wants to write cookies from websites that the user directly visits. It's not a bad idea for privacy. Let's assume that you are visiting a fan website for The Grudge! thegrudgefans.com is using  Google AdSense  (put any evil multibillion dollar internet ad service instead of Google :D) to display you some ads or even just in the background. The AdSense is running inside an iframe and it writes a cookie on your computer indicating you're a fan of nonsense horror teen movies. Now it is written on your face that you're a fan of The Grudge. AdSense can use this cookie anywhere else in the internet. OK you got the idea.

The problem was this privacy feature in Safari was causing our Hyzobox User Integration (a kind of Single Sign On service) to break. Safari users can always turn on a checkbox in the preferences to accept all cookies. But it's not the case by default. The workaround is that the page that writes the cookies must be initiated as a result of a direct user request. Literally meaning that prior to writing any cookie you have to provide a hyperlink (an explicit anchor tag) in your iframe that takes the user to the page that writes the cookie.

5 comments:

Christiaan said...

Your work around is true, but not complete. The provided hyperlink should take the user to the page OUTSIDE of the iframe.

My way of doing so is:
if (isSafari && top.location.href!=window.location.href) {//inside iframe
document.write('Click here to view this page outside this iframe contained by another domain.');
}

Homam Hosseini said...

If you mean that top location should be the same as the window location, then the page is not actually inside an iframe.

It is possible to write the cookie if the page is inside an iframe, the point is the user must initiated the process (by clicking on a hyper link or submitting a form) before Safari allows any cookie to be written.

myegy ماى ايجى said...

inspiring us to write such a nice post http://m-yegy.blogspot.com thanks

favicon maker said...

Wow, this article is fastidious, my sister is analyzing such things,
therefore I am going to tell her.

chennai independent escorts said...

Good day! This is my first comment here so I just wanted to give a quick
shout out and tell you I genuinely enjoy reading through your articles.

Can you suggest any other blogs/websites/forums that cover the same
topics? Thanks!