» No third-party cookies means: no third-party cookies

For historical reasons, WebKit allowed setting third-party cookies in response to the user interacting with the frame, e.g. if a user filled in some form in a frame and submits it, the response cookies were accepted, even if the user choose to block third-party cookies. Even worse, it didn’t matter whether the form was submitted as a result of a user-action or by a script. A third-party site can exploit this and create a hidden frame with a form, submit the form, and voila, set cookies.

In r92142 I closed this loop-hole for good. Turns out that some sites are relying on this feature. You might wonder how this worked with other browsers, but other browser either don’t block third-party cookies by default or accept them anyway if the site sets a (almost certainly fake) P3P compact policy…