Cookies in Safari private browsing with iframes

Update: Since doing some more investigation, I'm updating this question.

We're seeing some strange behaviour on our site for Safari users who are in private browsing mode. Our site is in an iframe which is on a different domain to the main window.

It seems like our cookies are being blocked by Safari when in private mode.

Interestingly, if the cookies already exist (ie. if we login through the main window, and then go to this page) then it allows the cookies and you can see them in the web inspector. But if you try to log in through this iframe when in private mode, the login fails, and it appears to be because Safari is blocking the cookies.

Is this a private browsing setting which can be changed perhaps? The information I've found about how private browsing affects the way Safari treats cookies has been inconsistent.

Any information or ideas that anyone has would be much appreciated.


I know this was asked over a month ago now, however I'll answer incase you haven't found the answer and for future users.

It is to do with safaris cookie policy that is set by default. As by default safari will only allow cookies from sites that you have visited.

It does not use, therefore, any cookies set by the webpage that is within an iframe. This is because the location of the top frame (the page that has the iframe) is a different domain to the iframe, and if the user has never been to the domain of the site contained within the iframe, safari will not use the cookies set by the iframe. Therefore, if a user were to go to the "main window" or the domain within the iframe, safari knows that you have visited this site, and will allow cookies set by this site/domain to be used.

You can check the policy safari is using when in safari, if you click Safari (top left) then Preferences a dialog box should appear. Along the top you should see a privacy tab. In the privacy tab, the first settings you should see are the cookies and website data. By default this will be set to Allow from websites I visit however this needs changing to Always allow for the cookies in an iframe to work without a coded solution. Alternately, you could look into a coded solution, such as this or this