Taken with slight modifications from Jeremy's comment here.


The problem:

1. Safari does not allow an iframe with a domain different from the domain of the main page to set cookies unless the user 'actively' navigates it, i.e. clicks a link.

2. Facebook apps using iframes are an instance of this - the main page is apps.facebook.com, and the iframe is some.developer.site.


The solution:

(Note: I use MainController for storing most static pages and the very rare random-shit page, like this. YMMV.)

1. app/controllers/application.rb

Somewhere that will get executed whenever a user loads the page normally (e.g. a universal before_filter), do:

cookies['safari_cookie_fix'] = 'cookie OK'

This will signal to the page that the cookie has been set successfully.

2. app/controllers/main_controller.rb

  session :off, :only => :set_cookie

  def set_cookie
    cookies['safari_cookie_fix'] = params[:_session_id]
    redirect_to params[:redirect_to] and return
  end

This will get automatically posted to if the cookie did NOT get loaded (i.e. we're in the first page of a Safari iframe and Safari dropped our cookie in the trash).

session :off is because it doesn't yet have any cookie to get its session info from.

This action will basically just redirect onwards to the place you were supposed to be in the first place. The fact of redirecting will mean that Safari now thinks it's OK to set the cookie, and therefore, Rails' automagic session cookie setters will work too.

Actually setting the cookie is AFAICT superfluous but helpful for debugging.


3. config/routes.rb

map.safari_cookie_fix "safari_cookie_fix", :controller => 'main', :action => 'set_cookie'

Convenience.


4. app/views/layout.html.erb

Somewhere in your body (preferably high up, so it gets evaluated first and doesn't wait for rendering that will get preempted anyway), insert:

<script>
	function safariFixSession(sess_id, controller) {
		alert('no cookie found');
		var url = location.href;
		var url_with_redirect = controller + "?redirect_to=" + url;
		
		$$('body')[0].insert("<form id='safariFixSession'></form>");
		var f = $('safariFixSession')
		f.method = 'POST';
		f.action = url_with_redirect;
		var m = document.createElement('input');
		m.setAttribute('type', 'hidden');
		m.setAttribute('name', '_session_id');
		m.setAttribute('value', sess_id);
		f.appendChild(m);
		f.submit();
	} 

	if (document.cookie.indexOf("safari_cookie_fix") == -1) safariFixSession("<%= session[:session_id] %>", "safari_cookie_fix");
</script>

This will add a form to your page with the current session ID (if any) and automatically submit it to the controller we made in step 2.

Remember to remove the alert() line! It's very useful for testing but not so great for users. ;-)

Note that as I said above, the session ID passing seems to be completely unnecessary, so feel free to yank it. What is necessary is simply the auto-form-submit.

It's quite possible that Safari may consider this method a security problem and patch it. If so, I'll update this post w/ info if I have any. But Safari people: please make sure that app developers who are doing legitimate stuff aren't hurt - it just means that we'll have to redirect people to Firefox, hint hint.



I've tried this and it seems to work just fine.

Thanks to Jeremy & Will Henderson for the code!