4
azuredivay
337d

Firefox won't access iFrame's domain's Auth cookies when the iFrame is hosted on a 2nd domain, even when the cookies are Secore,SameSite=None, and sandbox is as lax as possible.

Works on chromium-based browsers.

Looked up SO and it's just "oh im facing the same" x10. FFS.

Why does Firefox behave so retarded. Not doing their shrinking userbase numbers any favour :v

Comments
  • 3
    Idk, why are you trying to get stuff out of an iframe on another domain?
  • 0
    @spongessuck for auth, it's the 1st domain's credentials since 3rd party websites can embed a JS widget that shows user-contextual content from the 1st domain

    now cant make the users sign-in for each 3rd party website if they've signed-in once on the 1st domain, right?
  • 5
    I trust Mozilla, who has every reason to secure my data, over Google (a multinational ad company), who has every reason to make my data as accessible as possible.
  • 2
    Generally an iframe from another site is off limits unless cross origin or similar permission is specified.

    Cookie permissions in by it self does not allow cross domain access I think.
  • 1
    Woke alert! You are not allowed to use the R word or you will be censored.
  • 2
    Considering Chromium is constantly sucking your data up and slowly denying you any control over that process, they're killing their own userbase just fine, which is impressive for the engine behind 99% of browsers.

    @FuckJava that's retarded. and yes, I can say that, I have a debilitating mental affliction.
  • 0
    @Voxera but it's the iFrame source's cookies, imagine the YT Embed thing, the iFrame embedding YT doesnt know the owner site's cookies but loads google auth cookies to sign in user when watching the embedded video, it's that thing, the security part doesnt come into play since iFrame source n cookie domain is the same! + sameSite = None

    @cuddlyogre again, im reading my OWN domain's cookies, even from a security POV, the iFrame isnt accessing 2nd domain's cookies, it's trying to read its own cookies from the iFrame
  • 0
    @FuckJava at least I didn't say nigga 😤😤😤
  • 0
    @Parzi its as if there were an olympics for companies competing to fail. They can't even call it the "special olympics" though. That ones already taken.
Add Comment