Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Domain localstorage does not work in Safari #37

Closed
rahiparikh opened this issue Nov 8, 2017 · 6 comments

Comments

Projects
None yet
4 participants
@rahiparikh
Copy link

commented Nov 8, 2017

I was going through an article written by Daniel Brain on Medium.com that explains how to use POST-ROBOT to perform cross-domain localstorage. The code works for all browsers except safari.

See attached file for sample code. (Change extension from LOG to HTML).

receiver.log
sender.log

@bluepnume

This comment has been minimized.

Copy link
Member

commented Nov 8, 2017

Hi! Yeah I wrote that article -- what specifically didn't work?

@rahiparikh

This comment has been minimized.

Copy link
Author

commented Nov 9, 2017

@bluepnume If you try the test files in safari, you would notice that localstorage is being set within the frame. However, localstorage available to the frame is sandboxed and the values stored via iFrame are not exposed to any other page loaded from the domain of the iFrame.

Reproduction Steps:

  1. Download the attached files and rename them to have .html extension.
  2. Create a loopback interface for 127.0.0.2.
  3. Edit hosts file and point 127.0.0.1 to domain1.example.com and 127.0.0.2 to domain2.example.com.
  4. Start two HTTP Servers/Listeners (using python or something) to listen on both loopback addresses on port 3030 and move the downloaded files to webroot.
  5. Navigate to http://domain1.example.com:3030/sender.html in safari.
  6. Observe the value of localstorage in safari. You should notice a value being set.
  7. Navigate to http://domain2.example.com:3030/receiver.html in safari.
  8. Observe the value of localstorage in safari. You should not see the value that you saw in step 6.
@bluepnume

This comment has been minimized.

Copy link
Member

commented Nov 9, 2017

Yeah, you seem to be right. I actually got your demo working, but I had to select "Always allow" in safari's cookie and website data policy:

screen shot 2017-11-08 at 7 58 39 pm

I guess my advice would be to try to keep the store in the parent window, if possible, so it's always in a first-party context.

@JamieSellars

This comment has been minimized.

Copy link

commented Feb 15, 2018

@rahiparikh @bluepnume

did you have any luck getting this to work?

@rahiparikh

This comment has been minimized.

Copy link
Author

commented Feb 15, 2018

@andrebautista

This comment has been minimized.

Copy link

commented Apr 17, 2018

I was hoping this library would solve my current issues around cross domain cookie/local storage tracking, however it looks like safari will continue to haunt me. Expecting users to check "always allow" in the settings isn't exactly something you can rely on. The default safari setting "Allow from websites I visit", means that you'd first have to visit your iframe'd url in order to have cookies/local storage accessible from the parent website. Google, Facebook, and the other big hitters are able to accomplish this because most of us regularly visit their websites so their cookies can follow us wherever we go.

@bluepnume bluepnume closed this Dec 12, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.