Setting cookie in iframe - different Domain

Since your content is being loaded into an iframe from a remote domain, it is classed as a third-party cookie.

The vast majority of third-party cookies are provided by advertisers (these are usually marked as tracking cookies by anti-malware software) and many people consider them to be an invasion of privacy. Consequently, most browsers offer a facility to block third-party cookies, which is probably the cause of the issue you are encountering.

From new update of Chromium in February 4, 2020 (Chrome 80). Cookies default to SameSite=Lax. According to this link.

To fix this, you just need to mark your cookies are SameSite=None and Secure.

To understand what is Samesite cookies, please see this document

After reading through Facebook's docs on iframe canvas pages, I figured out how to set cookies in iframes with different domains. I created a proof of concept sinatra application here: https://github.com/agibralter/iframe-widget-test

There is more discussion on how Facebook does it here: How does Facebook set cross-domain cookies for iFrames on canvas pages?

IE requires you to set a P3P policy before it will allow third-party frames to set cookies, under the default privacy settings.

Supposedly P3P allows the user to limit what information goes to what parties who promise to handle it in certain ways. In practice it's pretty much worthless as users can't really set any meaningful limitations on how they want information handled; in the end it's just a fairly uniform setting acting as a hoop that all third parties have to jump through, saying “I'll be nice with your personal information” even if they have no intention of doing so.