This article is contributed. See the original author and article here.

The Problem

When using the new Safari 13.1 browser with Intelligent Tracking Prevention (ITP), 3rd party cookies are not allowed by default to remove the ability for websites to track you using cookies.

When an iframe is hosted in a page, it’s cookies, even if they are for the origin in the frame are considered 3rd party if it is hosted in a page that is a different origin. This causes the cookies set for the SharePoint add-in webpart model to not be sent on subsequent requests, including the authentication cookie (fedauth).

 

The Solution

There is a solution to this by adding some code to request access to these cookies via a storage access API that has been implemented in Safari, and Firefox, as well as browsers based on their respective projects (webkit and mozilla) and has experimental/future support in Chrome and Edge (chromium) as well.

 

This script code will allow you to request access to the 3rd party cookies-

 

//check if the function ‘hasStorageAccess()’ exists on the document object

//this lets you know that the storage access API is there

if(undefined !== document.hasStorageAccess){

    var promise = document.hasStorageAccess();

    promise.then(

        function (hasAccess) {

            // Boolean hasAccess says whether the document has access or not.

            document.requestStorageAccess()

            },

        function (reason) {

            // Promise was rejected for some reason.

            Console.log(“Storage request failed: “ + reason);

        }

    );

}

 

If you have a SharePoint add-in that is running in an iframe in a SharePoint page, then you would add the above code to your provider hosted page.

 

If you run into problems with cookies, or authentication that only seem to affect the Safari browser, you can confirm that ITP is causing the issue by disabling the feature that is blocking third party cookies called Intelligent Tracking Protection (ITP).

To disable this setting, navigate to:

Preferences -> Privacy

Then uncheck the Prevent cross-site tracking option.

Disabling the feature for normal use is not recommended, as it is a security measure that is designed to block malicious scripts.

 

Future development testing

If you are developing a new SharePoint provider hosted add-in or an SPFx add-in that uses content in an iframe or calls to a 3rd party site (with another domain) then you can test the script above by turning on the Storage Access API feature in the experimental features.

In the MS Edge (chromium) browser use this URL-

edge://flags/

 

In Chrome, use this URL-

chrome://flags/

 

Find and enable the ‘Storage Access API’ feature to enable the method used by the script.

 

There will likely be some updates here to clarify behavior.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.