[fjert]

I recently had to deal with the headaches of cookies and iframes. In my case, it was learning management software that used our external tool loaded in an iframe via LTI. I was specifically dealing with Safari but understood other browsers could become as strict as Safari for cookies in iframes.

After pursuing methods of getting user consent to use 3rd party cookies via the storage API, the end result was the user jumping through hoops by repeatedly clicking buttons to invoke user interaction in different contexts to eventually get a prompt to allow cookies. It did work, but there were strange bugs with it on mobile Safari... e.g., the prompt to allow cookies never appeared after clicking the button but after putting Safari in the background and going back to it, it did appear.

The UX of all this was pretty undesirable so we just gave up and had the tool open in a full window and wondered why we didn't think to do that from the beginning.