Third-Party Cookies and Yellowfin

Overview

Many browsers are now beginning to deprecate third-party cookie support.

Customers with standalone installations of Yellowfin are not affected, but this change could create issues when embedding Yellowfin content within other web sites or applications that are on a separate domain.

Major browsers are implementing cookie deprecation in different ways and on different schedules. Firefox and Chrome (including Microsoft Edge) are implementing a partitioned cookie approach, that allows third-party cookies to be used, but where those cookies are sandboxed from accessing information outside of the domain from where they originated. Firefox is now treating all cookies this way, and no configuration is required for this to work. Chrome requires the website issuing the cookie to pass a special cookie attribute to allow this to happen. Safari is not supporting partitioned cookies, and currently there are not many ways to allow third-party cookies to be enabled without the end-user being prompted to provide explicit permission.

There are alternatives to supporting third-party cookies without using partitioned cookies. This generally involves hosting content on common domains so that cookies are not blocked. We'll cover these processes below:

Partitioned Cookies

Beginning with version 9.11.0.1, Yellowfin will ship with Tomcat Version 9.0.85. This has partitioned cookie support built in. New installations of Yellowfin 9.11.0.1 will have partitioned cookies enabled by default.

In existing versions of Yellowfin, Tomcat can be upgraded independently of a Yellowfin upgrade, however additional configuration will be required. The following can be added to the Yellowfin/appserver/conf/Catalina/localhost/ROOT.xml (within the existing context tags):

<CookieProcessor sameSiteCookies="none" partitioned="true" />

As mentioned earlier, the use of server-designated partitioned cookies is required for Chrome/Edge to treat a third-party cookie as partitioned. This does not address issues with Safari.

Common Domain

Third-party cookie issues will not be a problem where Yellowfin is hosted on the same domain as the application that is embedding Yellowfin content. In this scenario, the cookies are no longer considered third-party and are not blocked by the browser. The use of separate subdomains for the Yellowfin and embedding site can also work in this scenario. For example, Yellowfin content from yellowfin.domain.com can be embedded on app.domain.com without issue.

Safari

Other than sharing domain names between both Yellowfin and the embedding site, there is currently no way to have Safari accept a third-party cookie without user intervention. It is possible to call requestStorageAccess from Javascript that will prompt the user to accept a cookie. Yellowfin does not support this feature natively, and a custom landing page may be required to prompt the user to accept external cookies, before content can be embedded via an iframe or JSAPI.

Apple has mentioned that Safari may introduce other features in the future to support cookies that originate from other domains.

If you have any questions surrounding this topic, please raise a ticket with our Support Team.