With the new Facebook way of loading iframes apps with POST requests, the safari third-party cookie problem is now partly fixed. It has always been a big headache dealing with cookies on the Facebook platform since Safari rejects them by default. With POST requests however, it is now possible to set cookies from the server. It seems Safari will still reject cookies set from the client.
The work-around I use is to set a cookie from the server with the signed_request in it if there is one present. This solves most of the problems since I can just use the cookie when I don’t have a fresh signed_request (this happens when I do a request inside the canvas).
Here is the code inside a before_filter in the application_controller. I use Rails with the Facebooker2 gem :
The P3P header is used to make IE6 and IE7 accept the cookie as well.
If you’re building a Facebook canvas application with Rails, take the time to also read my post about keeping your REST architecture with the POST requests.