[thelist] P3P, thrid-party cookies, and iframes

Lee Kowalkowski lee.kowalkowski at googlemail.com
Mon Mar 29 05:16:27 CDT 2010


Hi Bill,

On 29 March 2010 02:53, Bill Moseley <moseley at hank.org> wrote:
>
> I have partner site that wishes to embed my site inside an iframe.

Oh dear I fear...

> The
> problem is my site requires cookies (have to log into my site) and IE's
> default setting does not allow third-party cookies.

I think there may still be issues even with a P3P policy, for example,
few people report that both sites must have the same character set
(e.g. http://stackoverflow.com/questions/999534/ie-p3p-iframe-and-blocked-cookies-works-until-page-host-page-has-personal-info/1774147#1774147).

> As a result we have added session ids to all links and accept a session id
> in the query parameters.  I'm not a fan of doing this for security reasons.
>  Too easy to copy-n-paste URLs or bookmark URLs with the session id that are
> not valid very long[1].

Yeah, this is not nice either.

> Anyone have a solution for this?  That is, get IE to accept the third-party
> cookies?
>
> I've added P3P headers to my responses.  I've tried these two, which were
> examples on sites about this issue:
>
> CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
> CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"

I've never played with this, but I have these bookmarked:
http://www.p3pwriter.com/LRN_111.asp - I would have thought STA needed
to be in your policy, but:
http://stackoverflow.com/questions/389456/cookie-blocked-not-saved-in-iframe-in-internet-explorer
- The examples in here don't have STA, but they do say be careful what
you put, because you have to do what you say.

> My guess is my policy.xml file is not setup correctly to allow the cookies,
> but on the other hand I don't see IE request those files unless that
> "Summary" policy report is requested.  So, maybe it's just the P3P header
> that isn't correct.

As far as I know, IE's 3rd party cookie logic only refers to the
compact policy in the response header.

> BTW -- is an iframe the only solution to embed the site in a page with IE?
>  I know <object> works with other browsers.

I've never liked the idea of using frames for embedding sites within
sites, there's got to be more trouble than just P3P and usability,
although either of those two alone are enough to put me off.

> [1] Another issue with this is we have had problems where users will have
> multiple windows open resulting in different session ids -- then things like
> javascript "Your session is about to time out!" timers can result in
> in-validating a session id since they pass the session ID in the url,
> resulting in logging the user out in the other window by replacing the
> session id in the cookies.

That just sounds like a design issue, if the user opens the login page
in two windows of the same browser instance, the second login POST
will already contain authenticated session cookies, that is something
that could be checked.  Or you could have your session URI parameter
and cookies as mutually exclusive (do not give both - or ignore the
URI parameter if a cookie is present).

--
Lee
www.webdeavour.co.uk


More information about the thelist mailing list