cross site cookie permissions

From JustHumans

Jump to: navigation, search

In some web browsers, cookies (serial numbers used by browsers) are not passed to external websites. As JustHumans.com is not the same domain name as your website, the JustHumans.com images don't show up in some browsers. (most notably, Apple's Safari web browser on both computers and the iPhone)

Contents

Cross Site Cookie Policy

JustHumans.com uses cookies (or serial numbers) to remember what images it put on a website so that it can tell if the user clicked the correct image when they post the form. When visiting a website like www.example.com that have a JustHumans.com form on it, some web browsers happily return these cookies to JustHumans.com and some do not. In this context, some web browsers don't show JustHumans.com images if they choose not to return JustHumans.com cookies. These overly conservative settings are the default in some browsers, so a way around this problem is necessary.

Known Affected Browsers

These are the currently tested browser / operating system combinations that have overly conservative default cookie permissions.

  • Safari on the Mac
  • Safari on Windows
  • Safari on the iPhone

Other browsers can have cross-site cookie permissions problems if they are changed from their default settings. For example, in FireFox under Prefrences -> Privacy, JustHumans.com images won't show up if "Accept third-party cookies" isn't checked. By default it is so there isn't usually a problem, but if you are having issues getting JustHumans.com images to show up, take a look at this setting.

In Internet Explorer, the third-party cookies are dumbed down to a "privacy slider". Go to Tools -> Internet Options... -> Privacy and notice how the option "Blocks third party cookies that do not have a compact privacy policy" is turned on and off as you slide the control. You can also turn third party cookie support on and off by clicking "Advanced" and overriding the slider setting.

What Can be Done?

The way around this issue is to have JustHumans.com work from within your domain. You can do this by creating a new name (in DNS) such as verify.example.com rather than verify.JustHumans.com which gets used by default. The simple way to accomplish this is to create a CNAME record for verify.example.com that points to verify.JustHumans.com. (of course you would use your own domain name here instead of example.com, but you get the idea)

Next, you would change the JustHumans.com code that you pasted into the form on your website to point to your newly created CNAME record. For example, you would change this:

<script language="JavaScript" src="http://verify.justhumans.com/verification.js?k=a1b2c3..."></script>

to this:

<script language="JavaScript" src="http://verify.example.com/verification.js?k=a1b2c3..."></script>

Now, when an affected browser such as Safari comes across this code, verify.example.com is within your domain of example.com so Safari happily renders the content.

Additionally, JustHumans.com notices your new domain name and uses that in the JavaScript that it renders, including the URLs to all of the images and even the post URL. This way everything stays within your domain and Safari renders everything as expected.

A Live Example

This is running on the forms at the bottom of http://www.12byzantinerulers.com/ if you want to see it in action. View source to see how the URL in the JavaScript call is altered to verify.12byzantinerulers.com' and notice how it works in Safari.

Personal tools