How does Facebook set cross-domain cookies for iFrames on canvas pages?

I was browsing Facebook's documentation reading about canvas applications and I came across an example application: http://developers.facebook.com/docs/samples/canvas. As I read through their example, however, I got very confused about their use of cookies in the iframe application.

A little backstory...

I had already played around with using iframes for embeddable widgets (unrelated to Facebook) and I found out a few browsers (Chrome, Safari, etc.) have strict cookie policies and don't allow cross-domain cookies set in iframes (Firefox, on the other hand, allows iframes to set cross-domain cookies in iframes). For example, if foo.com has an iframe with src="http://bar.com/widget" the iframe widget will not be able to set any cookies for bar.com and therefore will have trouble persisting state within the iframe: bar.com will interpret every request (including ajax requests) from the widget as a fresh request without an established session. I struggled, and found a way around this by using JSONP and javascript to set cookies for foo.com instead...

... and so?

Well, I was looking at the example canvas iframe Facebook application and I noticed that their application (hosted on runwithfriends.appspot.com) is able to set a cookie, u, with the current user's id along with a few other parameters for the runwithfriends.appspot.com domain. It sends this cookie with every request... and it works in both Chrome and Firefox! WTF? How does Facebook get around the cross-domain cookie restrictions on Chrome?

(I already know the answer now, but I thought this might be helpful for anyone struggling to figure out the same thing)

So the iFrame isn't actually setting the u cookie for the runwithfriends.appspot.com domain. What Facebook does is it creates a form, <form action="runwithfriends.appspot.com/..." target="name_of_iframe" method="POST"> and uses javascript to submit the form on page load. Since the form's target is the iframe, it doesn't reload the page... it just loads the iframe with the POST's response. Apparently even Chrome and other browsers with strict cookie policies set cookies for cross domain requests if they are POST requests...


As you can see the answer is simple, and could be implemented by just creating a handler (could be a Servlet or anything that can catch some parameterts and transform them into cookies), like this: <html xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:f="http://java.sun.com/jsf/core" xmlns:h="http://java.sun.com/jsf/html" xmlns:a4j="http://richfaces.org/a4j" xmlns:c="http://java.sun.com/jstl/core" xmlns:rich="http://richfaces.org/rich"> <head> <title>::Kaptest:: Cookie Generator</title> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"/> <META HTTP-EQUIV="Expires" CONTENT="-1"/> <META HTTP-EQUIV="EXPIRES" CONTENT="0"/> </head> <c:set var="myCookies" value="#{kaptest.cross_domain_listener_action.cookies}" /> Cookies Generated... <script> function setCookie(name, value, expireDays){ var expirationDate = new Date(); expirationDate.setDate(expirationDate.getDate() + expireDays); document.cookie = name+ "=" +escape(value)+ ";path=/" + ((expireDays==null) ? "" : ";expires="+expirationDate.toGMTString()); } function setCookieMinutes(name, value, expireMinutes){ var expirationDate = new Date(); expirationDate.setMinutes(expirationDate.getMinutes() + expireMinutes); document.cookie = name+ "=" +escape(value)+ ";path=/" + ((expireMinutes==null) ? "" : ";expires="+expirationDate.toGMTString()); } </script> <script> <a4j:repeat value="#{myCookies}" var="myCookie"> setCookieMinutes("#{myCookie.name}", "#{myCookie.value}", #{myCookie.maxAge}); </a4j:repeat> </script> </html> @Name("kaptest.cross_domain_listener_action") public class CrossDomainListenerAction { private static final LogProvider log = Logging.getLogProvider(CrossDomainListenerAction.class); @In private FacesContext facesContext; private final String CODE_WORD_VALUE = KapConfig.getString("bulk_post_code_word"); private final String CODE_WORD_NAME = "__token"; private final Integer COOKIE_DEFAULT_MAX_AGE = 30; private List<CookieWrapper> cookies = new ArrayList<CookieWrapper>(); /** * Generates a set of cookies based on a Form submitted by client, * in order to bypass cross domain issues with external applications. * * In order to use it, one of the parameters should be a codeword (password). * * @return String - outcome */ @Create public void generateCookies(){ log.debug("Generating Cookies based on Params received"); HttpServletRequest request = (HttpServletRequest)this.facesContext.getExternalContext().getRequest(); Map<String, String> requestParameterMap = this.facesContext.getExternalContext().getRequestParameterMap(); if(StringUtils.equalsIgnoreCase(requestParameterMap.get(this.CODE_WORD_NAME), this.CODE_WORD_VALUE)){//Password provided for(String name : requestParameterMap.keySet()){ String value = requestParameterMap.get(name); if(!name.equalsIgnoreCase(this.CODE_WORD_NAME)){ log.info("Generating Cookie with name="+name+" and value="+value); //CookieUtil.placeCookie(name, value, COOKIE_DEFAULT_MAX_AGE); cookies.add(new CookieWrapper(name, value, COOKIE_DEFAULT_MAX_AGE)); } } }else{ log.warn("Wrong Code Word from "+request.getRemoteHost()+"/"+request.getRemoteAddr()); } } public List<CookieWrapper> getCookies(){ return this.cookies; } }