Marfeel HUD is loaded inside an iframe on top of the host page and shares the auth session with hub.marfeel.com
to securely interact with Marfeel APIs via 3rd party cookies.
To access 3rd party cookies inside an iframe Safari explicitly requests access to the user. In order to make this request, the iframe has to have the sandbox flag allow-storage-access-by-user-activation
.
In Safari, to access 3rd party cookies inside an iframe, an explicit request to the user has to be made in order to gain access to them. In order to make this request, the iframe needs the allow-storage-access-by-user-activation
sandbox flag.
For sites using HTTP Content-security-policy (CSP) sandbox the HTTP header takes precedence over any inline sandbox flag. For Marfeel HUD to properly work the CSP header has to explicitly specify allow-storage-access-by-user-activation
.
Here’s an example of a valid header:
Content-Security-Policy: sandbox allow-storage-access-by-user-activation;