Send Authorization cookie when using socket.io client inside Iframe via WebSocket

[ofirrifo]

You want to:

• report a bug

Current behaviour

I'm trying to create a websocket connection using socket.io client. My issue starts when my app is running inside an Iframe. The browser does not send the Authorization cookie which is being set by the server.

There is no CORS issue since the iframe and the server are running on the same domain.

The cookie configurations are: HttpOnly = true, Secure = true, SameSite = Strict.

It does work when the app is running without an iframe.

Example of my code

this.socket = io(`/${namespace}`, {
      transports: ['websocket'],
      path: '/.../socket.io'
    });

Expected behaviour

The cookie should be send.

Setup

• OS: mac
• browser: Chrome
• socket.io version: 2.2.0

[darrachequesne]

If the iframe origin (in the src attribute) and the parent origin differ, you won't be able to access the cookies.

There is nothing we can fix in Socket.IO.

See also: https://security.stackexchange.com/questions/182518/how-to-confirm-that-an-embedded-iframe-can-read-cookies-from-parent