From the Apple developer faq
Safari ships with a conservative
cookie policy which limits cookie
writes to only the pages chosen
("navigated to") by the user.
By default Safari only allows cookies from sites you navigate to directly. (i.e. if you click on links with the url of that domainname).
This means that if you load a page from your own site with an iFrame with a page from another site, that the other site is not able to set cookies. (for instance, a ticketshop). As soon as you have visited the other domain directly, the other site is able to access and change its own cookies.
Without having access to code on the other site, how can i make the user-experience as inobtrusive as possible?
Is there a (javascript?) way to check if the other site's cookies
are already set, and accordingly, show a direct link to the other site first, if needed?
Update:
The HTML5 feature 'window.postmessage' seems to be a nice solution.
There are some jQuery libraries that might help, and compatible with most recent browsers.
In essence, the iFrame document sends messages, with Json, thru the window element.
The very nice Postmessage-plugin, by daepark, which i got working.
and another jQuery postMessage, by Ben Alman i found, but haven't tested.
localStorage, supported by safari and all modern browsers, permits read/write operations even on pages loaded into iframes. if you don't mind dropping support for ie6 and ie7, try using localStorage instead of cookies in your framed site. i know your question specifically says you don't have access to code on the framed site, but for those who do, localStorage definitely solves the "no cookies in a safari iframe" problem.
This is an issue known as Same Origin Policy. Essentially it is a security measure against creating security loopholes.
When you have an iframe that points to a page on your own domain, JavaScript can access both the page you're on and the page within the Iframe. This is an acceptable parent to child and child to parent relationship.
(parent doc) (iframe doc)
HTML --> IFRAME <-- HTML
^--------|---------^
However, once you have a file pointing to an external page, SOP comes into play and haults any information passing between the parent page and the iframe page.
(parent doc) (iframe doc)
HTML --> IFRAME <-- HTML
X
Check out this post about iframe communication, it makes a lot of sense!
Stackoverflow post
These links really help too!
1) Secure Cross-Domain Communication in the Browser
2) wiki SOP or Same Origin Policy
Good luck!
This page suggests that you place some javascript in your pages which detects the absence of an always-there cookie. When it finds that the cookie has not been set, it posts the required session data to a page which sets the cookie, and redirects you back to the originating page.
Apparently the POST is enough to satisfy Safari's 'have I navigated to this domain' test, so from then on it accepts cookies from that domain.
Of course, it's not the nicest of code, but may well solve your problem.
One solution (a bit messy) might be to have the parent page check for the presence of the cookie and if the cookie is not present run an AJAX call to a script on the iframe page's domain which sets the cookie.
This is a common issue with facebook apps displayed in Safari. The way many (including myself) have dealt with this is to have the iframed page POST to itself. When a page has posted form data, it is then allowed to set cookies. In the end, it works with a 1 page refresh, which could even be your user login POST.