Fix: Safari Blocking Third-Party Cookies (ITP)

Updated April 2026

Safari's Intelligent Tracking Prevention (ITP) has blocked third-party cookies by default since Safari 13.1 (March 2020) — three years before Chrome. If your cross-site functionality works in Chrome but not Safari, ITP is why.

What Safari ITP blocks

Fix 1 — Add Partitioned (CHIPS)

Safari supports the Partitioned attribute. Adding it allows cookies to work in third-party context scoped to the top-level site:

Set-Cookie: session=abc; SameSite=None; Secure; Partitioned; HttpOnly; Path=/

Fix 2 — Storage Access API

For embedded iframes that need access to first-party cookies, request storage access explicitly. The user must grant permission:

// Inside your iframe — request storage access
document.requestStorageAccess().then(() => {
  // Storage access granted — cookies now accessible
  console.log('Storage access granted');
}).catch(() => {
  // User denied or browser blocked
  console.log('Storage access denied');
});

Fix 3 — Move to first-party context

The most robust fix — serve your embedded content from the same domain as the parent site, or use a subdomain with Related Website Sets (Chrome) or first-party framing.

ITP and the 7-day cap on JS-set cookies

Even first-party cookies set via document.cookie (JavaScript) are capped at 7 days expiry by Safari ITP. To avoid this, set cookies server-side via HTTP response headers — the cap doesn't apply:

# Server-side Set-Cookie — not capped by ITP
Set-Cookie: pref=dark; SameSite=Lax; Secure; HttpOnly; Path=/; Max-Age=31536000

# document.cookie in JS — capped at 7 days by Safari ITP
document.cookie = "pref=dark; max-age=31536000"; // ITP reduces to 7 days