IE Blocking iFrame Cookies

Written by adam on Tue, 09/16/2008 - 13:52

I got a call today about one of my applications not running correctly from inside an iFrame. I tried it out and it looked like everything worked great in Safari and Firefox but not IE6 or IE7. It took me a few failed attempts to fix it before I decided it must be a session problem. After firing up a packet sniffer it became obvious the cookie with the session ID was not being passed.

The problem lies with a W3C standard called Platform for Privacy Preferences or P3P for short. You can read all about the boring stuff via the link or else just install the P3P Compact Policy header below. This will allow Internet Explorer to accept your third-party cookie. You will need to send the header on every page that sets a cookie.

PHP:

header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

ASP.NET:

HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

Django:

response = render_to_response('mytemplate.html')
response["P3P"] = 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"'

JSP:

response.addHeader("P3P","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"")

Comments

Anonymous (not verified)

Mon, 10/06/2008 - 17:37

I understand that the P3P header will have to added to the app running inside the iFrame. How about the parent site hosting the iFranme? Does the parent site need to publish some P3P policy also in order for the embedded iFrame to work correctly?

adam

Mon, 10/06/2008 - 17:51

Nope, just the site in the iFrame

Anonymous (not verified)

Fri, 08/14/2009 - 11:25

Is there a solution for Ruby On Rails, too?

Anonymous (not verified)

Thu, 04/08/2010 - 15:59

I have a default.aspx page that is just a plain html frame, top page is a search and bottom page is a result.

do I need to put this in all three pages or just the default.aspx page that is called by the iframe.

Anonymous (not verified)

Mon, 10/27/2008 - 17:30

Note, that by using such a P3P statement, you're making a legal statement about how your application handles cookies. If you're later found in violation of the statement you make, you will find yourself in criminal and civil jeopardy.

Anonymous (not verified)

Wed, 11/12/2008 - 16:24

This got me out of a tight squeeze. Thank you very much.

Anonymous (not verified)

Thu, 03/26/2009 - 11:25

Hi Adam,

I've read a plethora of examples of P3P working for people, but in my case, the most simple example just doesn't want to work for me. Am I doing something wrong?

The is the container page:

iframe_container.jsp:

<% response.addHeader("P3P","CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'"); %>
<html>
<body>
<h2>iframe container</h2>
<iframe src="http://surgenorpontiac.itl.gm.ca/weblogic/set_cookie.jsp"></iframe...
</body>
</html>

This is the page which is IFRAMEd in:

set_cookie.jsp:

<% response.addHeader("P3P","CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'"); %>
<html>
<head>
<script>
function setCookie() {
document.cookie = "cookie_text=cookie set by inner iframe; path=/; expires=Sat, 31 Oct 2009 22:00:00 UTC; domain=itl.gm.ca";
}
function clearCookie() {
document.cookie = "cookie_text=blank; path=/; expires=Fri, 27 Jul 2001 02:47:11 UTC; domain=itl.gm.ca";
}
</script>
</head>
<body>
<h2>inner frame</h2>
<a href="javascript:setCookie()">set cookie</a>
<a href="javascript:clearCookie()">clear cookie</a>
</body>
</html>

Example can be found here: http://carterpontiac.itl.gmcanada.com/weblogic/iframe_container.jsp

When I attempt to call the setCookie function in the IFRAME page, I get the dreaded red eye, and the Privacy Alert msg comes up, because I have my browser set to "Prompt" for Third Party Cookies.

Under Internet Options - Privacy - Advanced, I have Override automatic cookie handling checked, and Third-Party cookies set to prompt.

Any feedback anyone has would be much appreciated! If you have an example which works, I'd love to see it too.

Mike

Anonymous (not verified)

Mon, 11/24/2008 - 18:34

this made my day

Anonymous (not verified)

Wed, 11/26/2008 - 09:40

Thanks a lot!

Anonymous (not verified)

Wed, 11/26/2008 - 11:20

it solved my
hta, php, session, cookie, login
problem

Anonymous (not verified)

Fri, 12/12/2008 - 04:32

You made me very very happy.. short and simple! thanks alot!

Anonymous (not verified)

Tue, 12/16/2008 - 18:31

Well... it works on IE but not in HTA !

I lost 2 hours on this fu!#@? problem...

now it just works...

Thanks for sharing !

Anonymous (not verified)

Mon, 03/16/2009 - 12:51

We added that header to our httpd.conf and it worked like a wonder.

Anonymous (not verified)

Fri, 04/17/2009 - 06:38

You just saved my day!!!!!

Thanks for sharing dude!!!

If you ever come to Amsterdam i'll buy you a beer!!

Anonymous (not verified)

Wed, 04/29/2009 - 03:57

omg, you saved my day too :)

IE is nothing but headaches..

thx,
Maarten

menskiof

Fri, 05/01/2009 - 15:57

You literally saved a handful of hairs on my head with this work around.

Thanks for your time!

- Al

P.S. If you are having issues with calling in Kayako support suite using Iframes this works.

Anonymous (not verified)

Thu, 05/07/2009 - 20:12

Thank you Very Much it's working just fine

Anonymous (not verified)

Wed, 05/13/2009 - 13:25

Awesome. Just awesome :P !

Anonymous (not verified)

Thu, 05/14/2009 - 09:36

Thank you for this, I'm sure I would have been going around in circles for hours without this fix!

Anonymous (not verified)

Mon, 06/22/2009 - 07:46

i love it when theres such an easy fix!

Anonymous (not verified)

Thu, 08/13/2009 - 20:35

I thought I was screwed when I checked IE and found my application wasn't keeping cookies set in iframes. Just one line saved the day! Thanks!

Anonymous (not verified)

Fri, 08/21/2009 - 11:22

Thanks for the useful instruction :-)
I was using this in our dev site, but today I need to put it on our production site, so I learned how to generate a P3P policy as I think would be better to generate our own if using on production site, so here is the instruction if anybody needs to do so http://everydayopenslikeaflower.blogspot.com/2009/08/how-to-create-p3p-p...

Anonymous (not verified)

Thu, 09/17/2009 - 03:46

you solve my problem so easy!!!

Anonymous (not verified)

Thu, 09/17/2009 - 05:38

Thank you for this from my friend Rasha.

Anonymous (not verified)

Sat, 09/19/2009 - 17:03

Even with the P3P header added, you can still get into trouble if IE7 submits a request for a cached page, and the response is 304 not modified. That header-only response does NOT include the P3P header element... and if it _also_ attempts to set a cookie, IE7 gets upset and destroys the cookie... and worse still, blocks the site.

So, I eventually fixed this problem by ensuring that no 304 not modified response was ever generated (by setting the etag anew w each response).

Anonymous (not verified)

Sun, 10/11/2009 - 21:30

This worked for us initially, but would not work with the following meta tag:

meta http-equiv="Content-Type" content="text/html; charset=utf-8"

I had to remove the meta tag, and set the content type with php:

header('Content-Type: text/html; charset=utf-8');

Anonymous (not verified)

Tue, 10/27/2009 - 05:58

Thank you very much, you saved my day!

Anonymous (not verified)

Wed, 11/04/2009 - 11:14

I was getting mad solving why my iframe facebook app won't work in IE. You are evil genius!

Anonymous (not verified)

Thu, 12/03/2009 - 01:44

This does not work in IE8

Anonymous (not verified)

Thu, 12/17/2009 - 06:35

Hi, IE8 is not working me as well. Did you find a solution for it?

Thanks
Bharath

Anonymous (not verified)

Mon, 04/05/2010 - 16:59

It works for IE8. I added this inside Page_Load method
HttpContext.Current.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

Btw, THANKS A LOT.

Anonymous (not verified)

Mon, 12/07/2009 - 16:59

Saved my day too! Thank you very much!

Anonymous (not verified)

Wed, 12/16/2009 - 14:01

It's wonderful, small thing made large difference. Thank you.

Anonymous (not verified)

Fri, 02/12/2010 - 15:30

I'm a novice programmer, more of a web site making feller. We're sending out a national campaign and needed to have a framed version of our website in another domain for a degree of separation. This of course made the cookies useless in IE7 until stumbling across this fix. I was only half an hour deep but it couldv'e been all day. Thank you so much!!!!

Anonymous (not verified)

Wed, 02/17/2010 - 12:20

I was near to suicide when found your article. Thanks a lot, you're my Lord. (Die, IE, die!)

Anonymous (not verified)

Fri, 02/19/2010 - 09:57

I had the same problem once, and the way I solved it was by using a proxy script, that way everything was dereferenced to my current domain and iframe cookies were no longer third party. :)

OccaraFrirm

Mon, 12/06/2010 - 09:01

Hi, i'm interested in your solution can you inform me how you did it?
Thank you

Anonymous (not verified)

Tue, 03/09/2010 - 03:21

response.headers['P3P'] = 'CP="NON DSP COR CURa IVAa IVDa CONa OUR NOR STA"'

Anonymous (not verified)

Wed, 03/10/2010 - 06:14

You've a wonderful wonderful man. I'd protect you in prison.

Anonymous (not verified)

Thu, 03/11/2010 - 05:25

I Have an asp.net application. I have added the P3P Policy as mentioned, but my page still gets refreshed wen i try to login. Below is my code....

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default2.aspx.cs" Inherits="Default2" %>
<% HttpContext.Current.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""); %>

Anonymous (not verified)

Fri, 04/09/2010 - 17:16

Here's our issue...will this help???

We have the coolest interactive survey ever created and it requires a cookie to run it.
Works great in direct link or even redirect....www.normalmeter.com (interactive survey that tells you how normal you are in a relationship or single...super cool!!!)

Anyway Reader's Digest (80 million readers) put in the magazine and on the homepage today. Yes, this is a big deal and I will owe somebody hugely on a fix for this! So it's live on www.rd.com homepage, but if you have internet explorer and the default is set to medium or high security, it doesn't work! UGGGGGG! Figured I could cry or try to call out for help.

So, we need the cookie (which is third party via Reader's Digest iframe) and we need it to run on internet explorer without telling people with IE to set security to low. That's not an option.

We code can we put in the survey so it will run within the iframe and ie????

Feel free to email me directly or I will check back on this blog on the hour for answer.

Take the cool survey and let me know what you think! It's really funny and gives fun payback.

www.normalmeter.com

xo Chrisanna

Anonymous (not verified)

Fri, 04/09/2010 - 17:20

I meant to say which code can we put in survey so it will run with iframe via ie without this error:

HTTP Status 500 -

--------------------------------------------------------------------------------

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

java.lang.NullPointerException
Page2.doGet(Page2.java:340)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.apache.catalina.servlets.InvokerServlet.serveRequest(InvokerServlet.java:420)
org.apache.catalina.servlets.InvokerServlet.doGet(InvokerServlet.java:134)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

note The full stack trace of the root cause is available in the Apache Tomcat/5.5.20 logs.

Anonymous (not verified)

Wed, 04/14/2010 - 06:03

Thanks a lot for sharing that "beyong totally crazy" information !
You just saved my day too :)

Anonymous (not verified)

Wed, 04/21/2010 - 18:43

pure genius ! great job

Anonymous (not verified)

Thu, 04/22/2010 - 11:10

I have a web site that is just a plain .asp page. How would you put this in there. (sorry new to this). What about the page load issue with IE8? Any help would be appreciated

Anonymous (not verified)

Tue, 06/29/2010 - 14:53

Did you get this resolved??? I have the same issue.

Anonymous (not verified)

Tue, 06/01/2010 - 14:30

You save my day! Thanks a lot!

Anonymous (not verified)

Tue, 06/08/2010 - 12:23

You are. That was becoming a serious pain in the neck until I found your fix - many thanks.

Anonymous (not verified)

Tue, 06/08/2010 - 23:30

I'm looking for a quick copy-and-paste of what to put as the PHP code, but I'm not too keen on PHP myself. Here's what I've come up with from reading the comments:

HttpContext.Current.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""); ?>

I'm just needing to find the full code to see if the iframe issue with IE is the problem users are having on my site. Anyone want to paste the code they used? This one doesn't seem to do anything... :/

Anonymous (not verified)

Fri, 06/11/2010 - 11:01

thousand thanks.

Pages