Enable Browser Third-Party Cookies for Lightning Out

Lightning components set cookies in a user’s browser. Because Lightning Out runs Lightning components outside of Salesforce, these cookies are “third-party” cookies. There are a few alternatives to make these third-party cookies functional for Lightning Out.

Salesforce uses a cookie for authentication. For Lightning Out apps, we recommend that you enable the setting that replaces the authentication cookie with a session token when a Lightning app is in a third-party context.

From Setup, in the Quick Find box, enter Session, and then select Session Settings. On the Session Settings page, select When embedding a Lightning application in a third-party site, use a session token instead of a session cookie.

If you don’t enable this setting, your users must allow third-party cookies in their browser settings.

Salesforce uses cookies other than the authentication cookie. For these third-party cookies from Salesforce to work, your users must allow third-party cookies in their browser settings.

The Prevent cross-site tracking setting is enabled by default in iOS and iPadOS 13.4 and Safari 13.1 and later. To allow third-party cookies and use Lightning Out, this setting must be disabled.

To see the Prevent cross-site tracking setting:

  • In the Safari app on a Mac desktop, go to Safari | Preferences, and click Privacy.
  • In iOS and iPadOS, go to Settings | Safari.

An alternative to requiring all Safari users to change their cross-site tracking browser setting is to set up a custom domain. The custom domain matches the first-level domain of the external server that calls the Lightning Out app. This approach causes the browser to see the external server and the Lightning Out app as part of the same domain so cookies can be shared between the two sites.

For example, to call a Lightning Out app from an external.example.com server, add a custom domain, such as lightningout.example.com, in Salesforce. You must set up a DNS record to map the fully qualified domain name (FQDN), lightningout.example.com, to the custom domain URL in Salesforce.

  1. Decide on the custom domain name, for example, lightningout.example.com. The custom domain must resolve to the same parent domain as the third-party site that calls the Lightning Out app.
  2. Find your 18-character org ID from Setup by entering Domains in the Quick Find box, then select Domains. Click Add a Domain and note the org ID listed at the top of the page.
  3. Set up a CNAME record with your DNS provider to map the custom domain name, such as lightningout.example.com, to the custom domain in Salesforce. The target of the CNAME record uses the format YourFQDN.Your18charOrgId.live.siteforce.com, where YourFQDN is the custom domain name that you chose in the first step.
  4. Create a custom domain by completing the Add a Domain page.
    1. For the Domain Name, enter the custom domain name, such as lightningout.example.com, that you chose in the first step.
    2. For the HTTPS Option, choose Salesforce serves the domain over HTTPS, on Salesforce's servers, using your HTTPS certificate.
  5. Configure the Lightning Out Markup on the external server's page to use the FQDN of the CNAME record, such as lightningout.example.com, which you set up with your DNS provider. The src attribute in the script tag and the lightningEndPointURI argument in the $Lightning.use() function must both use the FQDN of the CNAME record.
  6. If your app uses authentication, see Authentication from Lightning Out.

See Also