Suppose I have a site at www.example.com which has an IFRAME pointing to ASP.NET site myapp.othersite.com - this causes issues with session and 3rd-party cookies which I understand.
If I moved the embedded app to myapp.example.com, would the session cookie still count as a 3rd-party cookie as it is a different subdomain?
Cookies seem to be considered 3rd party if they come from different base domains (base domains being example.com
or example.co.uk
), but not if they come from different subdomains of the same base domain.
myapp.example.com
will be able to set cookies with domain myapp.example.com
if it is embedded within www.example.com
.
Having myapp.example.com
set cookies with domain .example.com
is unnecessary unless those cookies need to be read from a different subdomain.
[Tested in Firefox, Chrome (with 3rd party cookies blocked) and Safari] [ThirdPartyUtil.IsThirdPartyInternal seems to be where this is checked in Firefox]