Safari's "Prevent cross-site tracking" breaks my Power-Up's OAuth login flow

Mattlassian · June 3, 2021, 3:01pm

Some of my users using Safari are having trouble logging into my app when inside my Power-Up and my guess this is a common problem. Safari’s cross-site tracking prevention appears to prevent cookies from “sticking” i.e. my Power-Up opens the Trello OAuth flow and, once complete, sets a cookie (on my domain) that says the user is logged in. However, the cookie doesn’t get saved (due to Safari’s “Prevent cross-site tracking” and the user still appears logged out. Simply toggling this preference in Safari affects weather I’m logged in or out of my app when inside the Power-Up.

Are there any workarounds for this that don’t request that my users disable this privacy setting in Safari?

bentley · June 21, 2021, 9:45pm

This is a great question! I don’t know that I know a workaround.

Can you use Window.postMessage() - Web APIs | MDN to pass it back to your app and then store it in pluginData via t.set() and use it if its there? I guess that then you get into trying to juggle whether you have a token stored and whether or not cookies are available or not.

Let me also ask around a bit for others’ thoughts.