MVP might die . Please help)

Sorry Repeating this but it’s quite Urgent.

Currently we have two apps running (accounts) and the other app .We implemented SSO with iframe postmessage. All works well . Except iPhone and Max users have to Disable ‘Prevent cross site tracking’ in settings for them to login without Issues .
We have different ideas around this.

  1. OAuth. But it’s an MVP. Also it’s our application so it doesn’t really make sense .
  2. there’s ( ,get the token and redirect to
    Second choice is just sad because some bad guy can that sniff the token

What would you suggest ?

Could you post the exact error message you are seeing, with any stack trace?