[thelist] P3P, thrid-party cookies, and iframes

Bill Moseley moseley at hank.org
Mon Mar 29 14:47:02 CDT 2010

On Mon, Mar 29, 2010 at 3:16 AM, Lee Kowalkowski <
lee.kowalkowski at googlemail.com> wrote:

>  >
> > I have partner site that wishes to embed my site inside an iframe.
> Oh dear I fear...

I think that's succinct enough.

Thanks for the links.  Very helpful.

But, from your links it seems as if the iframe / P3P approach may not always
work as expected.  I think setting up the correct P3P header and policy
files are the correct thing to do, but it may be better to look for a
different solution to the problem instead of trying to fix the symptoms.

What has happened is that due to the third-party cookie limitation we accept
session IDs in both cookies and also in the URL as a query parameter.  I
find this somewhat of a security issue, but it also has led to problems
where the URL session ID doesn't match the cookies session id.  One example
is we get reports of "random" logouts which is a result of a browser (often
in a background window) sending an expired session ID in a request.

The need is this: A partner uses my site's API.  But, at some point the
partner site needs to allow the user to directly interact with my web site
in their browser. Opening my site in an iframe would seem like a good
solution since it allows displaying a mashup of the two sites on the same
page.  But, that's the third party cookie problem.

So, is there another approach than using an iframe?

The only things I can think of is either:

1) Do a full redirect to my site and display some data for the partner on my
page.  A "branded" approach.  But the data that the partner would want to
display is often private, not to mention the validation errors -- and
XSS vulnerability.

2) Return the HTML for my site via API calls with links rewritten to proxy
through the partner's server.  I can't see that working very well because my
site is AJAX heavy and the security issues of using the partner as a proxy.
 To complex anyway.

Maybe a proper P3P setup is the solution after all?

Thanks for the input,

Bill Moseley
moseley at hank.org

More information about the thelist mailing list