Third-Party Cookies

Haris Haidary,

Recently, there has been a number of questions about third-party cookies and iframes and I thought I would seize this opportunity for a developer blog. In short, it was brought to our attention that, in certain cases, the eSignLive signing ceremony web page would not load in an iframe, giving an "unauthorized access" error. Further investigation revealed that this issue mainly occurred for end-users using the Safari web browser, as the default setting blocks all third party cookies. In this blog, I will go over why this error happens and what you should do if you experience this issue.

Internet Cookies

First of all, let’s go over the subject of web cookies. What are cookies? In short, cookies are small pieces of data sent from a website you browse to and stored on your local machine. Cookies often store your settings for a website, such as: items added in the shopping cart in an online store, preferred language, location, etc.

Third-party cookies, on the other hand, are cookies that are set by a website other than the one you are currently on. For example, say you are browsing on The web page might have a Facebook like button on their site. That like button will set a cookie that can be read by Facebook. This is considered to be a third-party cookie. Disabling third-party cookies not only prevents HTTP responses and scripts from other domains from setting cookies, but also removes cookies from requests to domains that are not the document origin domain. In other words, information is exchanged only between you and the current site you are viewing.

Third-Party Cookies & iFrames

Now, how does this relate to eSignLive? The majority of web applications integrating eSignLive will embed the signing ceremony in an iframe (one domain into a website of a different domain). With third-party cookies disabled, the cookies, and hence the session variables of the domain inside the iframe, are blocked. In other words, the sessions that the domain relies on do not work, as the session cookie is not "trusted" by the browser when the website inside the iframe is hosted on a different domain than the parent website. Hence, here is what you should do if you are

  • Integrating eSignLive in your web application: before loading the eSignLive signing ceremony in an iframe, make a sanity check to determine if your end-users have third-party cookies enabled and request to enable third-party cookies if disabled.
  • An end-user of a web application integrating eSignLive: head over to your internet options and allow for third-party cookies. For example, if you are on Safari, choose Safari > Preferences, click Privacy, and select "Always allow" as cookie settings.

If you have questions regarding this blog or anything else concerning integrating eSignLive into your application, visit the developer community forums: That's it from me. Thank you for reading! If you found this post helpful, please share it on Facebook, Twitter, or LinkedIn.

Haris Haidary
Junior Technical Evangelist
LinkedIn | Twitter


OneSpan Developer Community

OneSpan Developer Community

Join the OneSpan Developer Community! Forums, blogs, documentation, SDK downloads, and more.

Join Today