cross site cookie permissions

From JustHumans

Jump to: navigation, search

In some web browsers, cookies (serial numbers used by browsers) are not passed to external websites. As is not the same domain name as your website, the images don't show up in some browsers. (most notably, Apple's Safari web browser on both computers and the iPhone)


Cross Site Cookie Policy uses cookies (or serial numbers) to remember what images it put on a website so that it can tell if the user clicked the correct image when they post the form. When visiting a website like that have a form on it, some web browsers happily return these cookies to and some do not. In this context, some web browsers don't show images if they choose not to return cookies. These overly conservative settings are the default in some browsers, so a way around this problem is necessary.

Known Affected Browsers

These are the currently tested browser / operating system combinations that have overly conservative default cookie permissions.

  • Safari on the Mac
  • Safari on Windows
  • Safari on the iPhone

Other browsers can have cross-site cookie permissions problems if they are changed from their default settings. For example, in FireFox under Prefrences -> Privacy, images won't show up if "Accept third-party cookies" isn't checked. By default it is so there isn't usually a problem, but if you are having issues getting images to show up, take a look at this setting.

In Internet Explorer, the third-party cookies are dumbed down to a "privacy slider". Go to Tools -> Internet Options... -> Privacy and notice how the option "Blocks third party cookies that do not have a compact privacy policy" is turned on and off as you slide the control. You can also turn third party cookie support on and off by clicking "Advanced" and overriding the slider setting.

What Can be Done?

The way around this issue is to have work from within your domain. You can do this by creating a new name (in DNS) such as rather than which gets used by default. The simple way to accomplish this is to create a CNAME record for that points to (of course you would use your own domain name here instead of, but you get the idea)

Next, you would change the code that you pasted into the form on your website to point to your newly created CNAME record. For example, you would change this:

<script language="JavaScript" src=""></script>

to this:

<script language="JavaScript" src=""></script>

Now, when an affected browser such as Safari comes across this code, is within your domain of so Safari happily renders the content.

Additionally, notices your new domain name and uses that in the JavaScript that it renders, including the URLs to all of the images and even the post URL. This way everything stays within your domain and Safari renders everything as expected.

A Live Example

This is running on the forms at the bottom of if you want to see it in action. View source to see how the URL in the JavaScript call is altered to' and notice how it works in Safari.

Personal tools