MVP might die . Please help)

Sorry Repeating this but it’s quite Urgent.

Currently we have two apps running (accounts) and the other app .We implemented SSO with iframe postmessage. All works well . Except iPhone and Max users have to Disable ‘Prevent cross site tracking’ in settings for them to login without Issues .
We have different ideas around this.

  1. OAuth. But it’s an MVP. Also it’s our application so it doesn’t really make sense .
  2. there’s (https://nb-accounts.meteorapp.com/) ,get the token and redirect to music.example.com/login?tok=tokenId
    Second choice is just sad because some bad guy can that sniff the token

What would you suggest ?

Could you post the exact error message you are seeing, with any stack trace?