Cookie blocked/not saved in IFRAME in Internet Explorer
Asked Answered
S

22

399

I have two websites, let's say they're example.com and anotherexample.net. On anotherexample.net/page.html, I have an IFRAME SRC="http://example.com/someform.asp". That IFRAME displays a form for the user to fill out and submit to http://example.com/process.asp. When I open the form ("someform.asp") in its own browser window, all works well. However, when I load someform.asp as an IFRAME in IE 6 or IE 7, the cookies for example.com are not saved. In Firefox this problem doesn't appear.

For testing purposes, I've created a similar setup on http://newmoon.wz.cz/test/page.php .

example.com uses cookie-based sessions (and there's nothing I can do about that), so without cookies, process.asp won't execute. How do I force IE to save those cookies?

Results of sniffing the HTTP traffic: on GET /someform.asp response, there's a valid per-session Set-Cookie header (e.g. Set-Cookie: ASPKSJIUIUGF=JKHJUHVGFYTTYFY), but on POST /process.asp request, there is no Cookie header at all.

Edit3: some AJAX+serverside scripting is apparently capable to sidestep the problem, but that looks very much like a bug, plus it opens a whole new set of security holes. I don't want my applications to use a combination of bug+security hole just because it's easy.

Edit: the P3P policy was the root cause, full explanation below.

Smokejumper answered 23/12, 2008 at 17:8 Comment(4)
a good solution indeed.. i tried creating the privacy policy.. added to my context root... and in my jsp page i am setting the header.. still am not able to get rid of that red eye.. can u help me resolving the problem..Abductor
Thanks for the demo site @Piskvor, I referenced it here on this Security.SE post that lists websites with interactive browser testsGeographer
@makerofthings7: YW. I'll migrate it to a non-temporary (sic!) site and will suggest an edit on Security.se, that page was a somewhat hacky proof-of-concept.Britney
Don't bother to try to do make P3P run in Windows 10 / Internet Explorer 11 (msdn.microsoft.com/en-us/library/…). P3P does not work at all, so no matter what you do, the cookies won't get stored. Proof here as well enhanceie.com/test/cookieLoper
S
432

I got it to work, but the solution is a bit complex, so bear with me.

What's happening

As it is, Internet Explorer gives lower level of trust to IFRAME pages (IE calls this "third-party" content). If the page inside the IFRAME doesn't have a Privacy Policy, its cookies are blocked (which is indicated by the eye icon in status bar, when you click on it, it shows you a list of blocked URLs).

the evil eye
(source: piskvor.org)

In this case, when cookies are blocked, session identifier is not sent, and the target script throws a 'session not found' error.

(I've tried setting the session identifier into the form and loading it from POST variables. This would have worked, but for political reasons I couldn't do that.)

It is possible to make the page inside the IFRAME more trusted: if the inner page sends a P3P header with a privacy policy that is acceptable to IE, the cookies will be accepted.

How to solve it

Create a p3p policy

A good starting point is the W3C tutorial. I've gone through it, downloaded the IBM Privacy Policy Editor and there I created a representation of the privacy policy and gave it a name to reference it by (here it was policy1).

NOTE: at this point, you actually need to find out if your site has a privacy policy, and if not, create it - whether it collects user data, what kind of data, what it does with it, who has access to it, etc. You need to find this information and think about it. Just slapping together a few tags will not cut it. This step cannot be done purely in software, and may be highly political (e.g. "should we sell our click statistics?").

(e.g. "the site is operated by ACME Ltd., it uses anonymous per-session identifiers for its operation, collects user data only if explicitly permitted and only for the following purposes, the data is stored only as long as necessary, only our company has access to it, etc. etc.").

(When editing with this tool, it's possible to view errors/omissions in the policy. Also very useful is the tab "HTML Policy": at the bottom, it has a "Policy Evaluation" - a quick check if the policy will be blocked by IE's default settings)

The Editor exports to a .p3p file, which is an XML representation of the above policy. Also, it can export a "compact version" of this policy.

Link to the policy

Then a Policy Reference file (http://example.com/w3c/p3p.xml) was needed (an index of privacy policies the site uses):

<META>
  <POLICY-REFERENCES>
    <POLICY-REF about="/w3c/example-com.p3p#policy1">
      <INCLUDE>/</INCLUDE>
      <COOKIE-INCLUDE/>
    </POLICY-REF>
  </POLICY-REFERENCES>
</META>

The <INCLUDE> shows all URIs that will use this policy (in my case, the whole site). The policy file I've exported from the Editor was uploaded to http://example.com/w3c/example-com.p3p

Send the compact header with responses

I've set the webserver at example.com to send the compact header with responses, like this:

HTTP/1.1 200 OK 
P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR IVAi IVDi OUR TST"
// ... other headers and content

policyref is a relative URI to the Policy Reference file (which in turn references the privacy policies), CP is the compact policy representation. Note that the combination of P3P headers in the example may not be applicable on your specific website; your P3P headers MUST truthfully represent your own privacy policy!

Profit!

In this configuration, the Evil Eye does not appear, the cookies are saved even in the IFRAME, and the application works.

Edit: What NOT to do, unless you like defending from lawsuits

Several people have suggested "just slap some tags into your P3P header, until the Evil Eye gives up".

The tags are not only a bunch of bits, they have real world meanings, and their use gives you real world responsibilities!

For example, pretending that you never collect user data might make the browser happy, but if you actually collect user data, the P3P is conflicting with reality. Plain and simple, you are purposefully lying to your users, and that might be criminal behavior in some countries. As in, "go to jail, do not collect $200".

A few examples (see p3pwriter for the full set of tags):

  • NOI : "Web Site does not collected identified data." (as soon as there's any customization, a login, or any data collection (***** Analytics, anyone?), you must acknowledge it in your P3P)
  • STP: Information is retained to meet the stated purpose. This requires information to be discarded at the earliest time possible. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy." (so if you send STP but don't have a retention policy, you may be committing fraud. How cool is that? Not at all.)

I'm not a lawyer, but I'm not willing to go to court to see if the P3P header is really legally binding or if you can promise your users anything without actually willing to honor your promises.

Smokejumper answered 23/12, 2008 at 17:8 Comment(10)
I was 95% complete, but my header only said: P3P: CP="...." and didn't include the policyref link, which made it work in IE7, but not IE6... works good now. Thanks!Frankenstein
The link to the IBM editor is not working anymore. Through The Wayback Machine I was able to find this working link: www6.software.ibm.com/sdfdl/1v2/regs2/awadmin/p3peditor/Xa.2/…Ephrayim
Some news on this topics: -IBM editor can be found at: softpedia.com/get/Security/Security-Related/… -P3P standards seems to be 'dead'. Big companies like google and facebook now use invalid P3P headers to bypass IE security. See these posts: cylab.cmu.edu/research/techreports/2010/tr_cylab10014.html zdnet.com/blog/facebook/… techpolicy.com/…Expressway
Another info that can help someone with a similar problem: from my tests if domains are in different security zones (for example first-party is internet and third-party is intranet) it is not possible to accept third party cookie also if P3P is correctly configured. The cookie is always blocked.Expressway
If you have sign '_' in your domain names it cann't work properly. See my answer below for details. Looks like a magic, I know, but helped me in my case.Tendance
Is this only for IE ? how about in Safari ?Ahron
It is important to note that the term 'third-party' is not as clear as one might think. If an iframe has third-party content relative to the enclosing site and has a valid privacy policy, and it redirects to a view in the iframe that comes from the main site, then unless that view has a valid privacy policy, IE won't trust its cookies. Even if that view is coming from the same site as the one containing the iframe.Fortaleza
"Update: P3P is currently non-functional in the current Windows 10 preview build; although all of the UI remains present, it has no effect. No announcement has been made about the future of P3P." blogs.msdn.com/b/ieinternals/archive/2013/09/17/…. So Microsoft are ditching an easily avoidable pointless security policy, but we are stuck with it for OS before 10. I recommend ignoring the advice in this response and faking profiles like Google and Facebook do, as highlighted by @Davide Icardi.Megalith
That said (and especially if you are in the EU) you will need a user cookie policy for people to opt in/out of. That is one for the legal team, but it isn't a technological problem as such.Megalith
@mummybot: Indeed, this question is now no more than a historical curiosity - many things have changed since it was written.Britney
C
170

I've spend a large part of my day looking into this P3P thing and I feel the need to share what I've found out.

I've noticed that the P3P concept is very outdated and seems only to be really used/enforced by Internet Explorer (IE).

The simplest explanation is: IE wants you to define a P3P header if you are using cookies.

This is a nice idea, and luckily most of the time not providing this header won't cause any issues (read browser warnings). Unless your website/web application is loaded into an other website using an (i)Frame. This is where IE becomes a massive pain in the ***. It will not allow you to set a cookie unless the P3P header is set.

Knowing this I wanted to find an answer to the following two questions:

  1. Who cares? In other words, can I be sued if I put the word "Potato" in the header?
  2. What do other companies do?

My findings are:

  1. No one cares. I'm unable to find a single document that suggests this technology has any legal weight. During my research I didn't find a single country around the world that has adopted a law that prevents you from putting the word "Potato" in the P3P header
  2. Both Google and Facebook put a link in their P3P header field referring to a page describing why they don't have a P3P header.

The concept was born in 2002 and it baffles me that this outdated and legally unimplemented concept is still forced upon developers within IE. If this header doesn't have have any legal ramifications this header should be ignored (or alternatively, generate a warning or notification in the console). Not enforced! I'm now forced to put a line in my code (and send a header to the client) that does absolutely nothing.

In short - to keep IE happy - add the following line to your PHP code (Other languages should look similar)

header('P3P: CP="Potato"');

Problem solved, and IE is happy with this potato.

Confederate answered 23/12, 2008 at 17:8 Comment(11)
Indeed, the issue has changed significantly since 2008, when this was posted. The Web has moved on, and the consensus on P3P has settled on "nobody cares anymore." Good to know what IE does with invalid input in this case.Britney
Oh man, this is one of those hidden internet explorer gems! HttpContext.Current.Response.AddHeader("p3p", "CP=\"Internet Explorer Was Programmed By Idiots\""); That one works for me!Moxa
@Mvision Don't blame the developers, this is rather an issue related to lawyers and management? I'm guessing that most developer did realize that the feature would result in Potato like solutions :-)Comstock
For ASP.Net, you can add this to your web config: '<system.webServer> <handlers> <httpProtocol> <customHeaders> <add name="p3p" value="CP=&quot;Internet Explorer Requires This In Order to Set Third Party Cookies&quot;" /> </customHeaders> </httpProtocol> </handlers> </system.webServer>'Cyclamen
Oh this needs to be higher! I spent hours trying to get cookies working in an IE 11 iframe. Trying all sorts of P3P combinations and getting various results depending on cookie type/expiration. Finally putting Potato in my P3P solved it. haha!Wrote
I'd love to see how many site around the web send potato privacy policies based on this answer. (I know I've had my hand in a few. :-))Rousing
@ScottSB I wondered the same. I think I found the answer: shodan.io/search?query=P3P%3A+CP%3D%22Potato%22Confederate
There are definitely more instances out there than that search shows. I know only because it doesn't include the servers I manage that send potatoes.Rousing
If you're Dan Quayle you have to use header('P3P: CP="Potatoe"');Hollar
The Magic Potato Tricks is awesome. Here is how I implemented it in my ASP.NET MVC 5 project: i.imgur.com/Rtk5qYf.png. Thanks a LOT, you saved me from loads of headaches ☺Moton
In the United States there are generally no laws about this stuff. In the EU, however, they have the cookie law, and users must consent to cookies. Assuming you are following the laws regarding notification & consent of the country where you do business you are probably OK vis-a-vi the technical implementation itself.Mccord
D
57

I was able to make the evil eye go away by simply adding this small header to the site in the IFrame (PHP solution):

header('P3P: CP="NOI ADM DEV COM NAV OUR STP"');

Remember to press ctrl+F5 to reload your site or Explorer may still show the evil eye, despite the fact that it's working fine. This is probably the main reason why I had so many problems getting it to work.

No policy file was neccesary at all.

Edit: I found a nice blog entry that explains the problem with cookies in IFrames. It also has a quick fix in C# code: Frames, ASPX Pages and Rejected Cookies

Dinghy answered 23/12, 2008 at 17:8 Comment(8)
IANAL, but the P3P policy seems to be legally binding. Are you aware what you're promising to the users here, or did you just mix tags until the EvilEye disappeared? I think browser caching won't be your biggest problem with these: "NOI: Web Site does not collect identified data. STP: Information is retained to meet the stated purpose. This requires information to be discarded at the earliest time possible. Sites MUST have a retention policy that establishes a destruction time table. The retention policy MUST be included in or linked from the site's human-readable privacy policy."Britney
I must admit that I dont really care what it means, I just needed stuff to work in Explorer. The sites are our own non-public sites one of which uses a cookie to 'remember' which style to show the site in. So, yes, I just mixed tags until the evil eye disappeared.Dinghy
Found a nice blog entry that explains the problem here: aspnetresources.com/blog/frames_webforms_and_rejected_cookiesDinghy
The increasing irrelevance of P3P. cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab10014.pdf If it's so legally binding, there'd be lawsuit precedence by now proving such. It's viewed with such high esteem that all but one of my competitors even bother posting one in the first place. They must figure that if their customers can't leave the IE setting on Medium, they aren't worth the effort. Sales lost on one site would have to be pretty high if cookies don't work, the cart dies without them.Democratize
A single lawsuit from 2004 doesn't count as precedence, only a fluke.Democratize
"I'm not a lawyer but I'm going to give you legal advice based on a PDF I found on the Internet." Hmm...Ri
This answer suggests using a dummy header like CP="This_is_not_a_privacy_policy". Doing that seems less legally binding, I think (since e.g. NOI and STP and nothing like that at all is mentioned), and apparently makes IE happy :-)Comstock
WOW this still works! Ridiculous limitations seems to lead to same workarounds! Thanks!Basal
C
21

This is buried in the comments of other answers, but I almost missed it, so it seems like it deserves its own answer.

To review: in order for IE to accept 3rd party cookies, you need serve your files with an http header called p3p in the format:

CP="my compact p3p policy"

BUT, p3p is pretty much dead as a standard at this point and you can easily get IE to work without investing the time and legal resources in creating a real p3p policy. This is because if your compact p3p policy header is invalid, IE actually treats it as a good policy and accepts 3rd party cookies. So you can use a p3p header such as this

CP="This site does not have a p3p policy."

You can optionally include a link to a page that explains why you don't have a p3p policy, as Google and Facebook do (they point here: https://support.google.com/accounts/answer/151657 and here: https://www.facebook.com/help/327993273962160/).

Finally, it's important to note that all files served from the 3rd party site need to have the p3p header, not just the one that sets the cookie, so you may not be able to just do this in your PHP, asp.net, etc code. You are probably better off setting in up on the web server level (i.e. in IIS or Apache).

Carminecarmita answered 23/12, 2008 at 17:8 Comment(0)
B
20

I had this issue as well, thought I'd post the code that I used in my MVC2 project. Be careful when in the page life cycle you add in the header or you'll get an HttpException "Server cannot append header after HTTP headers have been sent." I used a custom ActionFilterAttribute on the OnActionExecuting method (called before the action is executed).

/// <summary>
/// Privacy Preferences Project (P3P) serve a compact policy (a "p3p" HTTP header) for all requests
/// P3P provides a standard way for Web sites to communicate about their practices around the collection, 
/// use, and distribution of personal information. It's a machine-readable privacy policy that can be 
/// automatically fetched and viewed by users, and it can be tailored to fit your company's specific policies.
/// </summary>
/// <remarks>
/// More info http://www.oreillynet.com/lpt/a/1554
/// </remarks>
public class P3PAttribute : ActionFilterAttribute
{
    /// <summary>
    /// On Action Executing add a compact policy "p3p" HTTP header
    /// </summary>
    /// <param name="filterContext"></param>
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

        base.OnActionExecuting(filterContext);
    }
}

Example use:

[P3P]
public class HomeController : Controller
{
    public ActionResult Index()
    {
        ViewData["Message"] = "Welcome!";

        return View();
    }

    public ActionResult About()
    {
        return View();
    }
}
Barrows answered 23/12, 2008 at 17:8 Comment(0)
D
14

This is a great topic on the issue, however I found that one important detail (which was essential at least in my case) that was not posted here or anywhere else (I apologize if I just missed it) was that the P3P line must be passed in header of EVERY file sent from the 3rd party server, even files not setting or using the cookies such as Javascript files or images. Otherwise the cookies will be blocked. I have more on this in a post here: http://posheika.net/?p=110

Deport answered 23/12, 2008 at 17:8 Comment(0)
K
5

If anybody is looking for Apache line; we used this one.

Header set P3P "CP=\"Thanks IE8\""

It really didn't matter what we set CP value to, as long as there is the P3P header.

Krause answered 23/12, 2008 at 17:8 Comment(0)
G
5

Anyone having this problem in node.js.

Then add this p3p module, and enable this module at middleware.

npm install p3p

I am using express so I add it in app.js

First require that module in app.js

var express = require('express');
var app = express();
var p3p = require('p3p');

then use it as middleware

app.use(p3p(p3p.recommended));

It will add p3p headers at res object. No need to do any extra things.

You will get more info at:

https://github.com/troygoode/node-p3p

Gamo answered 23/12, 2008 at 17:8 Comment(0)
G
4

One possible thing to do is to add the domain to allowed sites in tools -> internet options -> privacy -> sites: somedomain.com -> allow -> OK.

Gerda answered 23/12, 2008 at 17:8 Comment(1)
Yes, if you only care that it works on your computer. Not entirely practical to suggest this to every visitor.Britney
R
3

I was investigating this problem with regard to login-off via Azure Access Control Services, and wasn't able to connect head and tails of anything.

Then, stumbled over this post https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/

In short, IE doesn't share cookies across zones (eg. Internet vs. Trusted sites).

So, if your IFrame target and html page are in different zone's P3P won't help with anything.

Rockery answered 23/12, 2008 at 17:8 Comment(2)
I'm surprised this is still relevant in 2016 :)Britney
Status for P3P in IE is documented here: msdn.microsoft.com/en-us/library/mt146424(v=vs.85).aspx, the future looks bright :)Rockery
E
3

One solution that I haven't seen mentioned here, is using session storage instead of cookies. Of course this might not fit everyone's requirements, but for some cases it's an easy fix.

Ephrayim answered 23/12, 2008 at 17:8 Comment(1)
Good point. Note that at the time this question was posted, support for session storage was nonexistent, especially in IE. But the times, they are a-changing ;)Britney
B
3

This post provides some commentary on P3P and a short-cut solution that reduces the problems with IE7 and IE8.

Buhr answered 23/12, 2008 at 17:8 Comment(10)
To quote the article: "it basically says “We’re not collecting any of your personal data”" - good luck with that. I have seen zero sites that actually fulfill the tokens set in that policy (not collecting any data at all, not even anonymous statistical data - server access logs, anyone?). The other policy offered is also pretty hard to achieve (you have any sort of web analytics? Bam, you just broke your P3P policy). So, the article can be summed up as "just lie blatantly, nobody cares anyway". Most useful article on the whole Internet, indeed.Britney
To quote another part of the article: "There’s surprisingly little good, free information on the internet about P3P, compact policies, and IE7’s requirements - and IE7 gives absolutely no helpful debugging output such as why your cookie was blocked." This appears to be completely true! Having spent most of my day trying to discover why IE7/8 behaved differently than every other browser, I was extremely happy to find this post. It's probably time to realize that P3P is a dead spec, and that most people would rather just work around it. This post IS probably the most useful one on the subject.Ceyx
"There’s surprisingly little good, free information on the internet" - that could have been true in 2007 (when that was written),but there's a lot of information on the Internet now, even free tools that help you build the P3P policy according to your specific situation.I'm not defending P3P, but saying "eh screw it, just make it go away" can have expensive consequences (as you're making very unambiguous claims about your site).Whether P3P is actually legally binding hasn't been tested yet (IIRC),but I wouldn't want to be on the receiving end of that lawsuit.Britney
@Smokejumper The post solves the problem for most. Is it a security risk? is it a lie? well most browsers simply ignore the problem and you don't even need to create a work around. So as a minimum it's not introducing news risksCryolite
@Rune FS: "Oh, that annoying orange light next to your gas meter? Just ignore it, it's not a critical error." sigh Piskvor over and out.Britney
@Smokejumper Linked from "the most useful post .. on the internet" links to a sibling p3pwriter.com/LRN_141.asp, which seems to suggest that P3P legality has a precedent. Fwiw.Genuflect
@Smokejumper - Please post the free P3P tools. All the ones I try to go to have been bought up by link farms and fake search. IBM pulled their free tool. P3P support seems to be like grass dieing in a drought in 2012.Democratize
@FiascoLabs: I don't have them - note that this is a question from 2008, and the comments above are over a year old. Many things have happened since, and I haven't kept track of all software I have ever installed. (P3P itself seems to be dying out, so that's perhaps the reason)Britney
@Fiasco Labs: The P3P editor seems to have surfaced again, found by another user - see the links in comments on the question.Britney
Found the IBM Alphaworks p3p editor here on softpedia: softpedia.com/get/Security/Security-Related/…Democratize
M
2

I've implemented a full P3P policy before but didn't want go through the hassle again for a new project I was working on. I found this link useful for a simple solution to the problem, only having to specify a minimal compact P3P policy of "CAO PSA OUR":

http://blog.sweetxml.org/2007/10/minimal-p3p-compact-policy-suggestion.html

The article quotes a (now broken) link to a Microsoft kb article. The policy did the trick for me!

Milewski answered 23/12, 2008 at 17:8 Comment(0)
G
2

Got similar problem, also went to investigate how to generate the P3P policy this morning, here is my post about how to generate your own policy and use in the web site :) http://everydayopenslikeaflower.blogspot.com/2009/08/how-to-create-p3p-policy-and-implement.html

Gyasi answered 23/12, 2008 at 17:8 Comment(0)
B
1

This finally worked for me (after a lot of hastle and generating some policies using IBMs policy generator). You can downlod the policy generator here: http://www.softpedia.com/get/Security/Security-Related/P3P-Policy-Editor.shtml

I was not able to download the generator from the official IBM website any more.

I created these files in the root folder of my Web-App

/index.php
/w3c/policy.html (Human readable format)
/w3c/p3p.xml
/w3c/policy.p3p
  1. Index.php: Just send an additional header:
header('P3P: policyref="/w3c/p3p.xml", CP="ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV DEM"');
  1. Content of p3p.xml
<META>
    <POLICY-REFERENCES>
        <POLICY-REF about="/w3c/policy.p3p#App">
            <INCLUDE>/</INCLUDE>
            <COOKIE-INCLUDE/>
        </POLICY-REF>
    </POLICY-REFERENCES>
</META>
  1. Content of my policy.html file

<html>
<head>
<STYLE type="text/css">
title { color: #3333FF}
</STYLE>
<title>Privacy Statement for YOUR COMPANY NAME</title>
</head>
<body>
<h1 class="title">Privacy Policy</h1>
<!-- "About Us" section of privacy policy -->
<h2>About Us</h2>
<p>This is a privacy policy for YOUR COMPANY NAME.
Our homepage on the Web is located at <a href="YOURWEBSITE">
YOURWEBSITE</a>.
The full text of our privacy policy is available on the Web at 
<a href="ABSOLUTE URL OF THIS FILE">
ABSOLUTE URL OF THIS FILE</a>
This policy does not tell users where they can go to exercise their opt-in or opt-out options.
<p>We invite you to contact us if you have questions about this policy.
You may contact us by mail at the following address:
<pre>FIRSTNAME LASTNAME
YOUR ADDRESS HERE
</pre>
<p>You may contact us by e-mail at 
<a href="mailto:[email protected]">
[email protected]</a>. 
You may call us at TELEPHONENUMBER.
<!-- "Privacy Seals" section of privacy policy -->
<h2>Dispute Resolution and Privacy Seals</h2>
<p>We have the following privacy seals and/or dispute resolution mechanisms.
If you think we have not followed our privacy policy in some way, they can help you resolve your concern.
<ul>
<li>
<b>Dispute</b>:
Contact us for further information
</ul>
<!-- "Additional information" section of privacy policy -->
<h2>Additional Information</h2>
<p>
This policy is valid for 1 day from the time that it is loaded by a client.
</p>
<!-- "Data Collection" section of privacy policy -->
<h2>Data Collection</h2>
<p>P3P policies declare the data they collect in groups (also referred to as "statements").
This policy contains 1 data group.
<hr width="50%" align="center">
<h3>Group "App control data"</h3>
<p>We collect the following information:
<ul>
<li>HTTP cookies</li>
</ul>
<p>This data will be used for the following purposes:</p>
<ul>
<li>Completion and support of the current activity.</li>
<li>Web site and system administration.</li>
<li>Research and development.</li>
<li>Historical preservation.</li>
<li>Other purposes<p>Control Flow of the application</p></li>
</ul>
<p>This data will be used by ourselves and our agents.
<p>The data in this group has been marked as non-identifiable. This means that there is no
reasonable way for the site to identify the individual person this data was collected from.
<p>The following explanation is provided for why this data is collected:</p>
<blockquote>This cookie data is only used to control the application within an iframe (e.g. a Facebook App)</blockquote>
<!-- "Use of Cookies" section of privacy policy -->
<hr width="50%" align="center">
<h2>Cookies</h2>
<p>Cookies are a technology which can be used to provide you with tailored information from a Web site. A cookie is an element of data that a Web site can send to your browser, which may then store it on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it.
<p>Our site makes use of cookies.
Cookies are used for the following purposes:
<ul>
<li>Site administration
<li>Completing the user's current activity
<li>Research and development
<li>Other
(Control Flow of the application)
</ul>
<!-- "Compact Policy Explanation" section of privacy policy -->
<hr width="50%" align="center">
<h2>Compact Policy Summary</h2>
<p>The compact policy which corresponds to this policy is:
<pre>
    CP="ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV"
</pre>
<p>The following table explains the meaning of each field in the compact policy.
<center><table width="80%" border="1" cols="2">
<tr><td align="center" valign="top" width="20%"><b>Field</b></td><td align="center" valign="top" width="80%"><b>Meaning</b></td></tr>
<tr><td align="left" valign="top" width="20%"><tt>CP=</tt></td>
<td align="left" valign="top" width="80%">This is the compact policy header; it indicates that what follows is a P3P compact policy.</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>ALL</tt></td>
<td align="left" valign="top" width="80%">
Access to all collected information is available.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>DSP</tt></td>
<td align="left" valign="top" width="80%">
The policy contains at least one dispute-resolution mechanism.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>NID</tt></td>
<td align="left" valign="top" width="80%">
The information collected is not personally identifiable.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>CURa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for completion of the current activity.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>ADMa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for site administration.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>DEVa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for research and development.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>HISa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for historical archival purposes.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>OTPa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for other purposes.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>OUR</tt></td>
<td align="left" valign="top" width="80%">
The data is given to ourselves and our agents.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>NOR</tt></td>
<td align="left" valign="top" width="80%">
The data is not kept beyond the current transaction.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>NAV</tt></td>
<td align="left" valign="top" width="80%">
Navigation and clickstream data is collected.
</td></tr>
</table></center>
<p>The compact policy is sent by the Web server along with the cookies it describes.
For more information, see the P3P deployment guide at <a href="http://www.w3.org/TR/p3pdeployment">http://www.w3.org/TR/p3pdeployment</a>.
<!-- "Policy Evaluation" section of privacy policy -->
<hr width="50%" align="center">
<h2>Policy Evaluation</h2>
<p>Microsoft Internet Explorer 6 will evaluate this policy's compact policy whenever it is used with a cookie.
The actions IE will take depend on what privacy level the user has selected in their browser (Low, Medium, Medium High, or High; the default is Medium.
In addition, IE will examine whether the cookie's policy is considered satisfactory or unsatisfactory, whether the cookie is a session cookie or a persistent cookie, and whether the cookie is used in a first-party or third-party context.
This section will attempt to evaluate this policy's compact policy against Microsoft's stated behavior for IE6.
<p><b>Note:</b> this evaluation is currently experimental and should not be considered a substitute for testing with a real Web browser.
<p><b>Satisfactory policy</b>: this compact policy is considered <em>satisfactory</em> according to the rules defined by Internet Explorer 6.
IE6 will accept cookies accompanied by this policy under the High, Medium High, Medium, Low, and Accept All Cookies settings.
</body></html>
  1. Content of policy.p3p
<?xml version="1.0"?>
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1">
    <!-- Generated by IBM P3P Policy Editor version Beta 1.12 built 2/27/04 1:19 PM -->

    <!-- Expiry information for this policy -->
    <EXPIRY max-age="86400"/>

<POLICY
    name="App"
    discuri="ABSOLUTE URL TO policy.html"
    xml:lang="de">
    <!-- Description of the entity making this policy statement. -->
    <ENTITY>
    <DATA-GROUP>
<DATA ref="#business.name">COMPANY NAME</DATA>
<DATA ref="#business.contact-info.online.email">[email protected]</DATA>
<DATA ref="#business.contact-info.online.uri">YOURWEBSITE</DATA>
<DATA ref="#business.contact-info.telecom.telephone.number">YOURPHONENUMBER</DATA>
<DATA ref="#business.contact-info.postal.organization">FIRSTNAME LASTNAME</DATA>
<DATA ref="#business.contact-info.postal.street">STREET</DATA>
<DATA ref="#business.contact-info.postal.city">CITY</DATA>
<DATA ref="#business.contact-info.postal.stateprov">STAGE</DATA>
<DATA ref="#business.contact-info.postal.postalcode">POSTALCODE</DATA>
<DATA ref="#business.contact-info.postal.country">Germany</DATA>
    </DATA-GROUP>
    </ENTITY>

    <!-- Disclosure -->
    <ACCESS><all/></ACCESS>


    <!-- Disputes -->
    <DISPUTES-GROUP>
        <DISPUTES resolution-type="service" service="YOURWEBSITE CONTACT FORM" short-description="Dispute">
            <LONG-DESCRIPTION>Contact us for further information</LONG-DESCRIPTION>
    <!-- No remedies specified -->
        </DISPUTES>
    </DISPUTES-GROUP>

    <!-- Statement for group "App control data" -->
    <STATEMENT>
        <EXTENSION optional="yes">
            <GROUP-INFO xmlns="http://www.software.ibm.com/P3P/editor/extension-1.0.html" name="App control data"/>
        </EXTENSION>

    <!-- Consequence -->
    <CONSEQUENCE>
This cookie data is only used to control the application within an iframe (e.g. a Facebook App)</CONSEQUENCE>

    <!-- Data in this statement is marked as being non-identifiable -->
    <NON-IDENTIFIABLE/>

    <!-- Use (purpose) -->
    <PURPOSE><admin/><current/><develop/><historical/><other-purpose>Control Flow of the application</other-purpose></PURPOSE>

    <!-- Recipients -->
    <RECIPIENT><ours/></RECIPIENT>

    <!-- Retention -->
    <RETENTION><no-retention/></RETENTION>

    <!-- Base dataschema elements. -->
    <DATA-GROUP>
    <DATA ref="#dynamic.cookies"><CATEGORIES><navigation/></CATEGORIES></DATA>
    </DATA-GROUP>
</STATEMENT>

<!-- End of policy -->
</POLICY>
</POLICIES>
Ballyrag answered 23/12, 2008 at 17:8 Comment(1)
It goes to the parent window server dir or an iframe server dir?Notecase
T
1

If you own the domain that needs to be embedded, then you could, before calling the page that includes the IFrame, redirect to that domain, which will create the cookie and redirect back, as explained here: http://www.mendoweb.be/blog/internet-explorer-safari-third-party-cookie-problem/

This will work for Internet Explorer but for Safari as well (because Safari also blocks the third-party cookies).

Temple answered 23/12, 2008 at 17:8 Comment(0)
T
1

I know it's a bit late to put my contribution on this subject but I lost so many hours that maybe this answer will help somebody.

I was trying to call a third party cookie on my site and of course it was not working on Internet Explorer 10, even at a low security level... don't ask me why. In the iframe I was calling a read_cookie.php (echo $_COOKIE) with ajax.

And I don't know why I was incapable of setting the P3P policy to solve the problem...

During my search I saw something about getting the cookie in JSON working. I don't even try because I thought that if the cookie won't pass through an iframe, it will not pass any more through an array...

Guess what, it does! So if you json_encode your cookie then decode after your ajax request, you'll get it!

Maybe there is something I missed and if I did, all my apologies, but i never saw something so stupid. Block third party cookies for security, why not, but let it pass if encoded? Where is the security now?

I hope this post will help somebody and again, if I missed something and I'm dumb, please educate me!

Tennison answered 23/12, 2008 at 17:8 Comment(2)
Interesting...so you're decoding the cookie in JS?Britney
Nop, i'm just writing the cookie in a JSON array with php function json_encode() then getting back via ajax JSON call.Tennison
S
1

You can also combine the p3p.xml and policy.xml files as such:

/home/ubuntu/sites/shared/w3c/p3p.xml

<META xmlns="http://www.w3.org/2002/01/P3Pv1">
  <POLICY-REFERENCES>
    <POLICY-REF about="#policy1">
      <INCLUDE>/</INCLUDE>
      <COOKIE-INCLUDE/>
    </POLICY-REF>
  </POLICY-REFERENCES>
  <POLICIES>
    <POLICY discuri="" name="policy1">
      <ENTITY>
        <DATA-GROUP>
          <DATA ref="#business.name"></DATA> 
          <DATA ref="#business.contact-info.online.email"></DATA> 
        </DATA-GROUP>
      </ENTITY>
      <ACCESS>
        <nonident/>
      </ACCESS>
      <!-- if the site has a dispute resolution procedure that it follows, a DISPUTES-GROUP should be included here -->
      <STATEMENT>
        <PURPOSE>
          <current/>
          <admin/>
          <develop/>
        </PURPOSE>
        <RECIPIENT>
          <ours/>
        </RECIPIENT>
        <RETENTION>
          <indefinitely/>
        </RETENTION>
        <DATA-GROUP>
          <DATA ref="#dynamic.clickstream"/>
          <DATA ref="#dynamic.http"/>
        </DATA-GROUP>
      </STATEMENT>
    </POLICY>
  </POLICIES>
</META>

I found the easiest way to add a header is proxy through Apache and use mod_headers, as such:

<VirtualHost *:80>
  ServerName mydomain.com

  DocumentRoot /home/ubuntu/sites/shared/w3c/

  ProxyRequests off
  ProxyPass /w3c/ !
  ProxyPass / http://127.0.0.1:8080/
  ProxyPassReverse / http://127.0.0.1:8080/
  ProxyPreserveHost on

  Header add p3p 'P3P:policyref="/w3c/p3p.xml", CP="NID DSP ALL COR"'
</VirtualHost>

So we proxy all requests except those to /w3c/p3p.xml to our application server.

You can test it all with the W3C validator

Sirkin answered 23/12, 2008 at 17:8 Comment(2)
Does this send the header with 304 requests? Some versions of IE will actually delete cookies if you send a P3P header with a 304.Pierette
Sorry, I do not know since I no longer work on this code. If its a problem you can probably force the status code in Apache to 200.Sirkin
P
0

In Rails 3.2 I am using:

class ApplicationController < ActionController::Base  

  before_filter :set_p3p  

  private  
    # for IE session cookies thru iframe  
    def set_p3p  
      headers['P3P'] = 'CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"'  
    end  
end  

I got this from: http://dot-net-web-developer-bristol.blogspot.com/2012/04/setting-p3p-header-in-rails-session.html

Parabolic answered 23/12, 2008 at 17:8 Comment(0)
E
0

For anyone trying to get the P3P Compact Policy working with static content:

It is only possible if you are able to send custom server-side response headers with the static content.

For a more detailed explanation see my answer here: Set P3P code in HTML

Enwomb answered 23/12, 2008 at 17:8 Comment(0)
S
0

In Rails I am using this gem : https://github.com/merchii/rack-iframe Bawically it sets a set of abbreviations without a reference file: https://github.com/merchii/rack-iframe/blob/master/lib/rack/iframe.rb#L8

It is easy to install when you dont care at all about the meaning of the p3p stuff.

Scuttle answered 23/12, 2008 at 17:8 Comment(0)
T
-1

A better solution would be to make an Ajax call inside the iframe to the page that would get/set cookies...

Tauro answered 7/1, 2009 at 16:6 Comment(9)
AJAX won't help here: any cookie handling inside the iframe is less trusted ("third-party cookies"), and in IE needs to pass through the Privacy Policy filter - no matter if you're setting cookies with AJAX calls, document.cookie manipulation or through normal pages (tested).Britney
no, if you're make an ajax call that sets the cookies with HTTP (inside the iframe) Ie6 bypasses the security policy and sets the cookie. Please assure my solution is wrong before downvoting.Tauro
See newmoon.wz.cz/test/page.php .You can set cookies via AJAX, but you either a)start new session, or b)set session id from JS - a huge security hole (XSRF).My previous comment was wrong,I apologize.But,your solution looks wronger than before: making a security hole seems bad to me.Britney
(Anything that "bypasses security policy" looks at least like a bug to me - if there is a policy, it's there for some reason. Saying "screw the security policy/user preferences, we know better" is a dangerous slippery slope. Also, would you let functionality depend on (yet) unfixed known bugs?)Britney
Set a new session? What are you talking about? Most browser support this, without the p3p header stuff, so I don't understand how doing it through Ajax is any different...Tauro
Indeed,most browsers support this,but I can't force the users to switch.Anyway,check the test page:if you AJAX a request to set_cookie.php,the session ID will be different from the ID you see on someform.php.Requesting set_cookie.php?sid={something} will work,but will work from any site.Not optimal.Britney
I dont have ie6 to test on right now, but why would the session ID be different using Ajax? Anyhow on a different note I'm using "script" tags to SET cookies (not iframes), but I can't seem to make it work in Safari, were you able to SET cookies in Safari with this IFRAME method?Tauro
I finished my characters, check this link out: #409082Tauro
Hmmm, Safari? I'll give it a try.Britney

© 2022 - 2024 — McMap. All rights reserved.