Safari blocks cookies for iFrame domain when domain doesn't match source website #18530

It seems that the recent updates to the Safari browser (Prevent cross-site tracking) blocks any cookies from being generated when the Matomo domain doesn't match the website it's being loaded from.

This breaks the use of iFrames for Matomo that require cookies to be set (For example the logme feature)

There doesn't seem to be any way to fix this with headers (Eg using CSP or CORS configurations).

2 current workarounds exist that I've found:

1. Disable the "Prevent cross-site tracking" setting in the Privacy settings
2. Redirect the visitor to the page outside of an iFrame to set the cookie - after this the iFrame can load as long as the CORS configuration is correct and the browser isn't completely blocking the iFrame from loading.

I'm not sure how many users are using iFrames that would require cookies to be set, but they would be impacted if any of their users use Safari.

We encountered the bug on our side as well.
We're planing to customize the index.php (target of the iframe) to add a link / button to open the link in a new tab/window to prevent this error for Safari users

FYI in https://github.com/matomo-org/matomo/issues/17452 we will be working on an Opt Out solution that works without iframes meaning this should then no longer be a problem once this new opt out is used

This also affects the opt-out feature on the personal settings page inside of Matomo:

And as there is no direct way to set cookies on another domain there, we might need to remove that feature (or replace it with an explaination)

@Findus23 if I am not wrong, the link « Click here to set a kokie that will exclude your visits on websites tracked by Matomo... » opens a new window/tab. Then the cookie can be generated without any problem if I read Starker3's 2nd workaround...

@heurteph-ei But wouldn't the link then not need to open the domain of the website that is tracked as the cookie needs to be stored there (or at least stored while on that site)?

As I understand (I may be wrong), the opt-out feature uses a 3rd party cookie, as it is explained by «... your visits on websites tracked by Matomo on dev.matomo ».
The thing pointed out by Starker id that on Safari, you can create the cookie only if you are in the website itself. As the link opens a new window/tab, it should work...

Anyone find a way to allow this in Safari (I am looking for options I can set on the web server)?

We have a django app that is embedded in shopify. This works fine in Chrome and Mozilla but it is not working in Safari Browser as an iframe as it is blocking all the cookies. So all the POST requests are getting rejected because of forbidden csrf. Is there any solution for this. After disabling Prevent Cross Site Checking in Safari Browser it is working fine and storing CSRF cookies and all. Is there any other solution to this?