You're reading our legacy documentation, the documentation for deprecated versions of UserFrosting. To read the docs for the current version of UserFrosting, visit


    Safari - Getting authentication to work with iframes & cross domain


    When using Userfrost though a Iframe on a Cross Domain Setup, For Example Website Hosts an Iframe which is Website

    Using Safari, When a User Logs in you get a 404 Error. This is because as default Safari Blocks 3rd Party Cookies. If you set 3rd Party Cookies to 'NEVER' then Safari will be able to generate the session token which allows the user to log into Userfrost.

    Unless the User has had access to the second domain ( then Safari will block the cookie from being generated. If you manually navigate to then back to you will be able to log in. This is because Safari now Trusts the domain in question.


    Get away from an Iframe on a Cross Domain. This can be done by hosting Userfrost on the Same Site EG: Server/Domain

    Setup a Pop Up which will 'OnLoad' : then close immediately - Please note Safari also by default Blocks Pop ups. If you set it to Never Block Pop ups, it will still ask the user weather to allow the pop up to be executed. Not ideal, i know!

    Use some Java to talk to the domain in the background. Basically i tried this with some queries, if the user can get some data or feedback from then Safari will trust the domain which in turn will allow the user to log in. Although this sounds the best solution, If the User Bookmarks the page; This practice doesn't work to well.

    Final Solution From hours or searching the Web i found the only future proof answer is to get rid of the Iframe. Safari really doesnt like Iframes which Track. Unless you can ensure your users are happy with having there Cookies set to 'Never'

    Relevant issues and links