I have a platform on mydomain

My clients have their own websites i.e client, and they embed my page into their website using an iFrame so that customers can navigate through a checkout flow.

My page tries to read the session cookie through the iFrame, which results in third party blocks (because of the domain jump).

I can solve this by having each client create a subdomain subdomain.client and point this towards my domain with a CNAME. Now the cookie is considered first party, but it feels like a bit of a workaround and requires network configuration from the client.

If I was to re-architect this from scatch, what options do I have in a world away from iFrames? Can Web Components or Javascript Widgets help me overcome this problem, without requiring network configuration from the client, or are there other modern approaches which don't require cookies for auth etc?

I have a platform on mydomain.com

My clients have their own websites i.e client.com, and they embed my page into their website using an iFrame so that customers can navigate through a checkout flow.

My page tries to read the session cookie through the iFrame, which results in third party blocks (because of the domain jump).

I can solve this by having each client create a subdomain subdomain.client.com and point this towards my domain with a CNAME. Now the cookie is considered first party, but it feels like a bit of a workaround and requires network configuration from the client.

If I was to re-architect this from scatch, what options do I have in a world away from iFrames? Can Web Components or Javascript Widgets help me overcome this problem, without requiring network configuration from the client, or are there other modern approaches which don't require cookies for auth etc?

• javascript
• cookies
• iframe
• web-component

• 1 Load with a <script> Only difference with an IFRAME is that your script now has full access to the customers page. If they don't want that tell them you are just a custom CDN for them, they probably load lots more from CDNs (jQuery? Design-Systems> Fonts? etc.) – Danny '365CSI' Engelman Commented Feb 8 at 16:40
• Do you need to read a session cookie that was already set for your domain, before the user visited the customer site that embeds your widget? Or do you only need a session that gets created when the user's browser loads the iframe content? If the latter, partitioned cookies should help. – C3roe Commented yesterday

1 Answer 1

Tried that your client to embed a call to any or some of your js file/s from your server on any/some/all their htmls?? they can put a script src on html, something like this will work:

<script src="https://yourserver.com/folder/yourlibrary.js"></script>

That way your js code on yourlibrary.js will run on your client's html env and can access their cookies with for example document.cookies and process them and can even later contact back your own server via other script src inserted from js, or iframe called from js, or even ajax (but this last option only if you configure CORS security adequately).

Mind that if your client website is on https, they can include/call only js files on https servers.