angular - Is there a workaround for Safari iOS "Prevent Cross Site Tracking" option, when issuing cookies from API on different domain?

Question

Is there any workarounds that allows me to keep the "Prevent Cross Site Trackng" option enabled (as it is by default, so every user will have it on), and issue CORS cookies from my back-end api that is on a different domain than my angular app?

My application flow is as follow: 1. User Logs in 2. The server authenticates, issues a JWT and stores the JWT inside of an HttpOnly cookie 3. All angular requests have the {withCredentials: true}

This works perfectly fine on....windows desktop browsers. However when I try to login on Safari iOS, and mac Safari the cookie is not saved nor is it sent with subsequent requests.

I found that disabling "Prevent Cross Site Tracking" option works, but I cannot expect all of my users to disabled this option to use the my app.

Are there any workarounds for this right now?

Answer 1

I'd suggest puting both your website and the api on the same domain, e.g. https://web.mydomain.com and https://api.mydomain.com. This shouldn't be too difficult to implement - I haven't found any simple technical solutions online yet that will force Safari on iOS to allow this without changing the settings.