Home » Howtos » cookies

IE Blocking iFrame Cookies

Submitted by adam on Tue, 2008-09-16 17:52.

I got a call today about one of my applications not running correctly from inside an iFrame. I tried it out and it looked like everything worked great in Safari and Firefox but not IE6 or IE7. It took me a few failed attempts to fix it before I decided it must be a session problem. After firing up a packet sniffer it became obvious the cookie with the session ID was not being passed.

The problem lies with a W3C standard called Platform for Privacy Preferences or P3P for short. You can read all about the boring stuff via the link or else just install the P3P Compact Policy header below. This will allow Internet Explorer to accept your third-party cookie. You will need to send the header on every page that sets a cookie.

PHP:

header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

ASP.NET:

HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

Django:

response = render_to_response('mytemplate.html')
response["P3P"] = 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"'

JSP:

response.addHeader("P3P","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"")
»

thanks!

Submitted by Anonymous on Mon, 2009-06-22 11:46.

i love it when theres such an easy fix!

»

Thanks

Submitted by Anonymous on Thu, 2009-05-14 13:36.

Thank you for this, I'm sure I would have been going around in circles for hours without this fix!

»

Awesome. Just awesome :P !

Submitted by Anonymous on Wed, 2009-05-13 17:25.

Awesome. Just awesome :P !

»

Thanks a lot

Submitted by Anonymous on Fri, 2009-05-08 00:12.

Thank you Very Much it's working just fine

»

Adam is a genius!

Submitted by al on Fri, 2009-05-01 19:57.

You literally saved a handful of hairs on my head with this work around.

Thanks for your time!

- Al

P.S. If you are having issues with calling in Kayako support suite using Iframes this works.

»

omg, you saved my day too

Submitted by Anonymous on Wed, 2009-04-29 07:57.

omg, you saved my day too :)

IE is nothing but headaches..

thx,
Maarten

»

Awesome!!!!

Submitted by Anonymous on Fri, 2009-04-17 10:38.

You just saved my day!!!!!

Thanks for sharing dude!!!

If you ever come to Amsterdam i'll buy you a beer!!

»

Thank you

Submitted by Anonymous on Mon, 2009-03-16 16:51.

We added that header to our httpd.conf and it worked like a wonder.

»

THANK YOU SOOOOO MUCH

Submitted by Anonymous on Tue, 2008-12-16 23:31.

Well... it works on IE but not in HTA !

I lost 2 hours on this fu!#@? problem...

now it just works...

Thanks for sharing !

»

Thank You

Submitted by Anonymous on Fri, 2008-12-12 09:32.

You made me very very happy.. short and simple! thanks alot!

»

thank you

Submitted by Anonymous on Wed, 2008-11-26 16:20.

it solved my
hta, php, session, cookie, login
problem

»

Thanks a lot!

Submitted by Anonymous on Wed, 2008-11-26 14:40.

Thanks a lot!

»

Thanks man

Submitted by Anonymous on Mon, 2008-11-24 23:34.

this made my day

»

Thank You!

Submitted by Anonymous on Wed, 2008-11-12 21:24.

This got me out of a tight squeeze. Thank you very much.

»

simple Proof of Concept is just not working

Submitted by Anonymous on Thu, 2009-03-26 15:25.

Hi Adam,

I've read a plethora of examples of P3P working for people, but in my case, the most simple example just doesn't want to work for me. Am I doing something wrong?

The is the container page:

iframe_container.jsp:

<% response.addHeader("P3P","CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'"); %>
<html>
<body>
<h2>iframe container</h2>
<iframe src="http://surgenorpontiac.itl.gm.ca/weblogic/set_cookie.jsp"></iframe>
</body>
</html>

This is the page which is IFRAMEd in:

set_cookie.jsp:

<% response.addHeader("P3P","CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'"); %>
<html>
<head>
<script>
function setCookie() {
document.cookie = "cookie_text=cookie set by inner iframe; path=/; expires=Sat, 31 Oct 2009 22:00:00 UTC; domain=itl.gm.ca";
}
function clearCookie() {
document.cookie = "cookie_text=blank; path=/; expires=Fri, 27 Jul 2001 02:47:11 UTC; domain=itl.gm.ca";
}
</script>
</head>
<body>
<h2>inner frame</h2>
<a href="javascript:setCookie()">set cookie</a>
<a href="javascript:clearCookie()">clear cookie</a>
</body>
</html>

Example can be found here: http://carterpontiac.itl.gmcanada.com/weblogic/iframe_container.jsp

When I attempt to call the setCookie function in the IFRAME page, I get the dreaded red eye, and the Privacy Alert msg comes up, because I have my browser set to "Prompt" for Third Party Cookies.

Under Internet Options - Privacy - Advanced, I have Override automatic cookie handling checked, and Third-Party cookies set to prompt.

Any feedback anyone has would be much appreciated! If you have an example which works, I'd love to see it too.

Mike

»

Legal:

Submitted by Anonymous on Mon, 2008-10-27 21:30.

Note, that by using such a P3P statement, you're making a legal statement about how your application handles cookies. If you're later found in violation of the statement you make, you will find yourself in criminal and civil jeopardy.

»

What about the parent site?

Submitted by Anonymous on Mon, 2008-10-06 21:37.

I understand that the P3P header will have to added to the app running inside the iFrame. How about the parent site hosting the iFranme? Does the parent site need to publish some P3P policy also in order for the embedded iFrame to work correctly?

»

Nope, just the site in the

Submitted by adam on Mon, 2008-10-06 21:51.

Nope, just the site in the iFrame

»