Hello,
Here is our current use case, with domains changed to sample ones:
We have an iOS app which has a button to a deep link to open page exampleauthdomain.com in Safari. Once the page exampleauthdomain.com opens in Safari, the user is asked to click a button to accept. Upon clicking the button, a cookie is set for exampleauthdomain.com and the user is redirected via JavaScript to another page.
Later in the flow, the user visits another page that we vend in Safari, testdomain.com. In the testdomain.com page, there is an XMLHttpRequest to exampleauthdomain.com with the flag `withCredentials`[2] set to true. However, we notice that the cookie that was set on exampleauthdomain.com is not always sent up to the server.
As per our understanding from this excerpt from [1]:
“Is it enough for users to visit my website to keep its cookies from being purged if my domain gets classified by ITP?
No, a mere visit does not suffice. The user has to interact with your website, meaning a tap, click, or form entry. In ITP 2.0, user granted access through the Storage Access API also counts as such user interaction.”
the user has indeed interacted with the page exampleauthdomain.com because the cookie is set only after the user clicks on the button.
A few questions:
- Why is the cookie not sent up to the server with XMLHttpRequest from testdomain.com?
- What can we do to ensure the cookie will be sent up?
- Is there a way to use ITP debug mode from Safari on iOS? We have enabled ITP debug mode in the experimental features on the iPhone, but do not see logs such as “About to block cookies in third-party contexts for: 3rdpartytestwebkit.org”
Thanks,
YashV
[1]: https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/
[2]: https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials
