Question

Deeplink in third party iframe leads to a third party cookie block.

2

In one of our apps we send a deeplink to a third party which opens the deeplink in an iframe from within their own webdomain. For about 70% of their customers the iframe won't show the mendix webform opened by the deeplink url (anonymous user). Cause of this seems to be the blocking of third party cookies. Because most browser block third party cookies by default, we need to solve this issue. Any ideas? More information: See explanation Cees vd Heuvel below !

asked 2013-07-09

René Smit

2 answers

Michel Weststrate · Answer 1 · 2013-07-10

Does the app not load at all, or does it show the login screen / anonymous home page? How does this relate to third party cookies exactly? I mean, there are no cookies passed around anywhere it seems, just a link? Or are the cookies from the third party missing? Maybe a a bit more detailed description of the problem helps to understand the problem, a simple flow diagram including (example) domains and urls for example.

EDIT (Assuming you investigated the option to run on the same top level domain, which is the no brainer solution)

Did a quick look around, as far as I can see this there is no easy way to work around this. However, I think a solution is to setup a redirect on the customers domain. So say the the IFrame now starts at "app.intermediad.nl/link/customer" change it to something like "customer.nl/intermediad/link/customer" and make sure the link is picked up there and redirects to your "app.intermediad.nl/link/customer" (using an http redirect header). I think that might work because the Iframe is initially loaded at the same domain.

(If this is hard to setup with their sysops, it might be a bit easier to provide them a html page which does a redirect using a redirect meta tag)

Cees van den Heuvel (Intermediad) · Answer 2 · 2013-07-10

A brief additional explanation:

We have a customer that has a site where visitors can perform different activities (which may incude login, therefore the site using cookies). The url looks like http://www.customer nl so the (first-party) cookies are set from this domain.

We have a Mendix app that performs certain blackbox activities for this customer but also is used as an independent full app using a completely different domain like http://app.intermediad.nl When used indepently the Mendix session cookies (both anonymous and logged-in) are set from this domain of course.

The customer wants the visitor to stay in the context of his own site so there is an iframe that opens the Mendix app or actually a deeplink to the app with anonymous access enabled with styling adapted to the customer' site. So something like http://app.intermediad.nl/deeplink/customer

When the iframe is loaded and the visitor reaches the deeplink page the mendix platform wants to set it's session cookies of course from the domain http://app.intermediad.nl. Browsers interprete these as third-party cookies (i.e. from a different then the orginal domain) and in a lot of cases block these cookies depending on the settings of the browser.

Different browser then behave diiferently by either showing a completely blank iframe or the default anonymous homepage but never the functional deeplink page.

If you enable third-party cookies in browsers (IE, FF, Chrome, Safari) full functionality is available as designed.