Hello GoodData team, I’m trying to load GoodData analyze page to embedded frame. It’s working well on the Chrome, but on the safari for OS X, it’s show Login page. I’ve followed the https://help.gooddata.com/doc/enterprise/en/additional-resources/troubleshooting/embedding-issues/#EmbeddingIssues-EmbeddinginSafari to fix cookie, but it doesn’t work until I uncheck

Prevent cross-site tracking

in the Safari Settings. Unchecking this setting causes an impact to our customer and their company’s policy doesn’t allow to do that. I’m wondering that what happens if GoodData Devops team could add my company domain to the whitelist, then will Safari allow GoodData to retrieve third-party cookies? Could you please help?

Hi Nam, This is a known issue and safari blocks 3rd party cookies by default for some time now. Google Chrome started gradual rollout of blocking the 3rd party cookies as well (starting this year it has been applied to 1% of the users). Basically there are two solutions to this: 1. Whitelabeling the hostname of your GD environment so that it's on the same second level domain as the application it's being embedded in (i.e. app.example.com & gooddata.example.com) 2. We can turn on the partitioned cookies (CHIPS) (which is something we recently implemented given the changes in google chrome), which would allow the authentication to work within the iframe. But it's limited to certain use cases (basically you would need to have SSO authentication implemented in the app) If you'd like to go with either of these options, please send a request to support@gooddata.com.

Thanks for your reply, @Boris I think we already have a white label. Our white label in the GoodData is is

<http://saleshood.na.gooddata.com|saleshood.na.gooddata.com>

. And our company domain is

<http://saleshood.saleshood.com|saleshood.saleshood.com>

I could access my workspace through iframe on the Chrome, but it’s failed on the Safari. And from your spec, it’s failed because Safari blocks it. The iframe calls

gdc/account/customerlogin

with payload so that we could silently login to the GoodData system. But I don’t see it called on the Safari. Doesn’t it call because our domain isn’t marked as whitelist in the GoodData system?

Hi Nam, Your gooddata environment is still hosted on *.na.gooddata.com domain, it would have to be switched to *.saleshood.com so that the cookies would no longer be considered 3rd party.

I could access my workspace through iframe on the Chrome, but it’s failed on the Safari.

Chrome should start blocking it soon as well.

The iframe calls

gdc/account/customerlogin

with payload so that we could silently login to the GoodData system.

This is an API call associated with PGP SSO, so the partitioned cookies should help in this case.

so I should send a request to the GoodData support to change domain from

<http://saleshood.na.gooddata.com|saleshood.na.gooddata.com>

to

<http://gooddata.saleshood.com|gooddata.saleshood.com>

so that we can pass the cookies issue, right?

Hi Nam, yes, either that (but it would require changes on your side like the SSO endpoint + embedding link + urls in data pipeline, or we can enabled the partitioned cookies for you, which should also help.

Will the partitioned cookies work on the Safari browser? The link you sent to me is document from Google. So I’m not sure if solution 2 can resolve our issue?

that's a very good question, I think the concept of partitioned cookies is universal and not strictly limited to google chrome, it should work, but I am not 100% sure. Anyway this should be easy to test, we can turn it on per domain, so you can try it on DEV/TEST environment first. I see that Nikos opened a ticket for us on your behalf, we can continue the conversation there, if you agree....

yes, we should continue the conversation there. it seems reaching to your team in both channels is not right method 🙂

🙂 no problem, I keep my eye on both

thanks for your help, Boris 🙂