Merge pull request #191705 from mmacy/patch-4

tamarakhader · web-flow · commit a10274a82159 · 2022-03-15T10:16:35.000+03:00
[MSID][ISSUE] link to iframe usage in MSAL.js
diff --git a/articles/active-directory/develop/reference-third-party-cookies-spas.md b/articles/active-directory/develop/reference-third-party-cookies-spas.md
@@ -10,15 +10,15 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 10/06/2021
+ms.date: 03/14/2022
 ms.author: ludwignick
 ms.reviewer: kkrishna
 ms.custom: aaddev
 ---
 
 # Handle ITP in Safari and other browsers where third-party cookies are blocked
 
-Many browsers today are blocking third-party cookies - cookies on requests to domains that aren't the same as the one showing in the browser bar. This breaks the implicit flow and requires new authentication patterns to successfully sign in users. In the Microsoft identity platform, we use the authorization flow with Proof Key for Code Exchange (PKCE) and refresh tokens to keep users signed in when third-party cookies are blocked.
+Many browsers block _third-party cookies_, cookies on requests to domains other than the domain shown in the browser's address bar. This block breaks the implicit flow and requires new authentication patterns to successfully sign in users. In the Microsoft identity platform, we use the authorization flow with Proof Key for Code Exchange (PKCE) and refresh tokens to keep users signed in when third-party cookies are blocked.
 
 ## What is Intelligent Tracking Protection (ITP)?
 
@@ -62,12 +62,17 @@ There are two ways of accomplishing sign-in:
   - When the popup finishes redirecting to the application after authentication, code in the redirect handler will store the code and tokens in local storage for the application to use. MSAL.js supports popups for authentication, as do most libraries.
   - Browsers are decreasing support for popups, so they may not be the most reliable option. User interaction with the SPA before creating the popup may be needed to satisfy browser requirements.
 
-> [!NOTE]
-> Apple [describes a popup method](https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/) as a temporary compatibility fix to give the original window access to third-party cookies. While Apple may remove this transferral of permissions in the future, it will not impact the guidance here. Here, the popup is being used as a first party navigation to the login page so that a session is found and an auth code can be provided. This should continue working into the future.
+     Apple [describes a popup method](https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/) as a temporary compatibility fix to give the original window access to third-party cookies. While Apple may remove this transferral of permissions in the future, it will not impact the guidance here.
+     
+     Here, the popup is being used as a first party navigation to the login page so that a session is found and an auth code can be provided. This should continue working into the future.
 
-### A note on iframe apps
+### Using iframes
 
-A common pattern in web apps is to use an iframe to embed one app inside another. The top-level frame handles authenticating the user, and the application hosted in the iframe can trust that the user is signed in, fetching tokens silently using the implicit flow. Silent token acquisition no longer works when third-party cookies are blocked - the application embedded in the iframe must switch to using popups to access the user's session as it can't navigate to the login page.
+A common pattern in web apps is to use an iframe to embed one app inside anotherd: the top-level frame handles authenticating the user and the application hosted in the iframe can trust that the user is signed in, fetching tokens silently using the implicit flow.
+
+Silent token acquisition no longer works when third-party cookies are blocked - the application embedded in the iframe must switch to using popups to access the user's session as it can't navigate to the login page.
+
+You can achieve single sign-on between iframed and parent apps with same-origin _and_ cross-origin JavaScript script API access by passing a user (account) hint from the parent app to the iframed app. For more information, see [Using MSAL.js in iframed apps](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/iframe-usage.md) in the MSAL.js repository on GitHub.
 
 ## Security implications of refresh tokens in the browser
 
@@ -77,7 +82,7 @@ This limited-lifetime refresh token pattern was chosen as a balance between secu
 
 ## Next steps
 
-For more information about authorization code flow and Microsoft Authentication Library (MSAL) for JavaScript v2.0, see:
+For more information about authorization code flow and MSAL.js, see:
 
 - [Authorization code flow](v2-oauth2-auth-code-flow.md).
 - [MSAL.js 2.0 quickstart](quickstart-v2-javascript-auth-code.md).
