I have a web application that relies on a persistent cookie that is marked as HttpOnly / Secure in order to securely keep the session ID.

The issue is when this web application is embedded cross-domain it no longer works with iOS which blocks third party cookies.

The normal recommendation for avoiding this would be to use jwt or something with a header (such as Auth Bearer token), which works great for REST APIs.

But what is the alternative for normal page requests (not REST) as the user is loading new pages to cookies? The only thing I can think of is a queryString value but that is very insecure since anyone can see it, even over HTTPS.