I have two websites, let's say they're example.com and anotherexample.net.
On anotherexample.net/page.html, I have an IFRAME SRC="http://example.com/someform.asp". That IFRAME displays a form for the user to fill out and submit to http://example.com/process.asp. When I open the form ("someform.asp") in its own browser window, all works well.
However, when I load someform.asp as an IFRAME in IE 6 or IE 7, the cookies for example.com are not saved. In Firefox this problem doesn't appear.
For testing purposes, I've created a similar setup on http://newmoon.wz.cz/test/page.php .
example.com uses cookie-based sessions (and there's nothing I can do about that), so without cookies, process.asp won't execute. How do I force IE to save those cookies?
Results of sniffing the HTTP traffic: on GET /someform.asp response, there's a valid per-session Set-Cookie header (e.g. Set-Cookie: ASPKSJIUIUGF=JKHJUHVGFYTTYFY), but on POST /process.asp request, there is no Cookie header at all.
Edit3: some AJAX+serverside scripting is apparently capable to sidestep the problem, but that looks very much like a bug, plus it opens a whole new set of security holes. I don't want my applications to use a combination of bug+security hole just because it's easy.
Edit: the P3P policy was the root cause, full explanation below.
This question is related to
internet-explorer
cookies
privacy
p3p
This is a great topic on the issue, however I found that one important detail (which was essential at least in my case) that was not posted here or anywhere else (I apologize if I just missed it) was that the P3P line must be passed in header of EVERY file sent from the 3rd party server, even files not setting or using the cookies such as Javascript files or images. Otherwise the cookies will be blocked. I have more on this in a post here: http://posheika.net/?p=110
I was able to make the evil eye go away by simply adding this small header to the site in the IFrame (PHP solution):
header('P3P: CP="NOI ADM DEV COM NAV OUR STP"');
Remember to press ctrl+F5 to reload your site or Explorer may still show the evil eye, despite the fact that it's working fine. This is probably the main reason why I had so many problems getting it to work.
No policy file was neccesary at all.
Edit: I found a nice blog entry that explains the problem with cookies in IFrames. It also has a quick fix in C# code: Frames, ASPX Pages and Rejected Cookies
You can also combine the p3p.xml and policy.xml files as such:
/home/ubuntu/sites/shared/w3c/p3p.xml
<META xmlns="http://www.w3.org/2002/01/P3Pv1">
<POLICY-REFERENCES>
<POLICY-REF about="#policy1">
<INCLUDE>/</INCLUDE>
<COOKIE-INCLUDE/>
</POLICY-REF>
</POLICY-REFERENCES>
<POLICIES>
<POLICY discuri="" name="policy1">
<ENTITY>
<DATA-GROUP>
<DATA ref="#business.name"></DATA>
<DATA ref="#business.contact-info.online.email"></DATA>
</DATA-GROUP>
</ENTITY>
<ACCESS>
<nonident/>
</ACCESS>
<!-- if the site has a dispute resolution procedure that it follows, a DISPUTES-GROUP should be included here -->
<STATEMENT>
<PURPOSE>
<current/>
<admin/>
<develop/>
</PURPOSE>
<RECIPIENT>
<ours/>
</RECIPIENT>
<RETENTION>
<indefinitely/>
</RETENTION>
<DATA-GROUP>
<DATA ref="#dynamic.clickstream"/>
<DATA ref="#dynamic.http"/>
</DATA-GROUP>
</STATEMENT>
</POLICY>
</POLICIES>
</META>
I found the easiest way to add a header is proxy through Apache and use mod_headers, as such:
<VirtualHost *:80>
ServerName mydomain.com
DocumentRoot /home/ubuntu/sites/shared/w3c/
ProxyRequests off
ProxyPass /w3c/ !
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ProxyPreserveHost on
Header add p3p 'P3P:policyref="/w3c/p3p.xml", CP="NID DSP ALL COR"'
</VirtualHost>
So we proxy all requests except those to /w3c/p3p.xml to our application server.
You can test it all with the W3C validator
Got similar problem, also went to investigate how to generate the P3P policy this morning, here is my post about how to generate your own policy and use in the web site :) http://everydayopenslikeaflower.blogspot.com/2009/08/how-to-create-p3p-policy-and-implement.html
Anyone having this problem in node.js.
Then add this p3p module, and enable this module at middleware.
npm install p3p
I am using express so I add it in app.js
First require that module in app.js
var express = require('express');
var app = express();
var p3p = require('p3p');
then use it as middleware
app.use(p3p(p3p.recommended));
It will add p3p headers at res object. No need to do any extra things.
You will get more info at:
I was able to make the evil eye go away by simply adding this small header to the site in the IFrame (PHP solution):
header('P3P: CP="NOI ADM DEV COM NAV OUR STP"');
Remember to press ctrl+F5 to reload your site or Explorer may still show the evil eye, despite the fact that it's working fine. This is probably the main reason why I had so many problems getting it to work.
No policy file was neccesary at all.
Edit: I found a nice blog entry that explains the problem with cookies in IFrames. It also has a quick fix in C# code: Frames, ASPX Pages and Rejected Cookies
I had this issue as well, thought I'd post the code that I used in my MVC2 project. Be careful when in the page life cycle you add in the header or you'll get an HttpException "Server cannot append header after HTTP headers have been sent." I used a custom ActionFilterAttribute on the OnActionExecuting method (called before the action is executed).
/// <summary>
/// Privacy Preferences Project (P3P) serve a compact policy (a "p3p" HTTP header) for all requests
/// P3P provides a standard way for Web sites to communicate about their practices around the collection,
/// use, and distribution of personal information. It's a machine-readable privacy policy that can be
/// automatically fetched and viewed by users, and it can be tailored to fit your company's specific policies.
/// </summary>
/// <remarks>
/// More info http://www.oreillynet.com/lpt/a/1554
/// </remarks>
public class P3PAttribute : ActionFilterAttribute
{
/// <summary>
/// On Action Executing add a compact policy "p3p" HTTP header
/// </summary>
/// <param name="filterContext"></param>
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
base.OnActionExecuting(filterContext);
}
}
Example use:
[P3P]
public class HomeController : Controller
{
public ActionResult Index()
{
ViewData["Message"] = "Welcome!";
return View();
}
public ActionResult About()
{
return View();
}
}
I've spend a large part of my day looking into this P3P thing and I feel the need to share what I've found out.
I've noticed that the P3P concept is very outdated and seems only to be really used/enforced by Internet Explorer (IE).
The simplest explanation is: IE wants you to define a P3P header if you are using cookies.
This is a nice idea, and luckily most of the time not providing this header won't cause any issues (read browser warnings). Unless your website/web application is loaded into an other website using an (i)Frame. This is where IE becomes a massive pain in the ***. It will not allow you to set a cookie unless the P3P header is set.
Knowing this I wanted to find an answer to the following two questions:
My findings are:
The concept was born in 2002 and it baffles me that this outdated and legally unimplemented concept is still forced upon developers within IE. If this header doesn't have have any legal ramifications this header should be ignored (or alternatively, generate a warning or notification in the console). Not enforced! I'm now forced to put a line in my code (and send a header to the client) that does absolutely nothing.
In short - to keep IE happy - add the following line to your PHP code (Other languages should look similar)
header('P3P: CP="Potato"');
Problem solved, and IE is happy with this potato.
This is buried in the comments of other answers, but I almost missed it, so it seems like it deserves its own answer.
To review: in order for IE to accept 3rd party cookies, you need serve your files with an http header called p3p in the format:
CP="my compact p3p policy"
BUT, p3p is pretty much dead as a standard at this point and you can easily get IE to work without investing the time and legal resources in creating a real p3p policy. This is because if your compact p3p policy header is invalid, IE actually treats it as a good policy and accepts 3rd party cookies. So you can use a p3p header such as this
CP="This site does not have a p3p policy."
You can optionally include a link to a page that explains why you don't have a p3p policy, as Google and Facebook do (they point here: https://support.google.com/accounts/answer/151657 and here: https://www.facebook.com/help/327993273962160/).
Finally, it's important to note that all files served from the 3rd party site need to have the p3p header, not just the one that sets the cookie, so you may not be able to just do this in your PHP, asp.net, etc code. You are probably better off setting in up on the web server level (i.e. in IIS or Apache).
In Rails I am using this gem : https://github.com/merchii/rack-iframe Bawically it sets a set of abbreviations without a reference file: https://github.com/merchii/rack-iframe/blob/master/lib/rack/iframe.rb#L8
It is easy to install when you dont care at all about the meaning of the p3p stuff.
One possible thing to do is to add the domain to allowed sites in tools -> internet options -> privacy -> sites: somedomain.com -> allow -> OK.
In Rails 3.2 I am using:
class ApplicationController < ActionController::Base
before_filter :set_p3p
private
# for IE session cookies thru iframe
def set_p3p
headers['P3P'] = 'CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"'
end
end
I got this from: http://dot-net-web-developer-bristol.blogspot.com/2012/04/setting-p3p-header-in-rails-session.html
I've implemented a full P3P policy before but didn't want go through the hassle again for a new project I was working on. I found this link useful for a simple solution to the problem, only having to specify a minimal compact P3P policy of "CAO PSA OUR":
http://blog.sweetxml.org/2007/10/minimal-p3p-compact-policy-suggestion.html
The article quotes a (now broken) link to a Microsoft kb article. The policy did the trick for me!
One solution that I haven't seen mentioned here, is using session storage instead of cookies. Of course this might not fit everyone's requirements, but for some cases it's an easy fix.
A better solution would be to make an Ajax call inside the iframe to the page that would get/set cookies...
I know it's a bit late to put my contribution on this subject but I lost so many hours that maybe this answer will help somebody.
I was trying to call a third party cookie on my site and of course it was not working on Internet Explorer 10, even at a low security level... don't ask me why. In the iframe I was calling a read_cookie.php (echo $_COOKIE) with ajax.
And I don't know why I was incapable of setting the P3P policy to solve the problem...
During my search I saw something about getting the cookie in JSON working. I don't even try because I thought that if the cookie won't pass through an iframe, it will not pass any more through an array...
Guess what, it does! So if you json_encode your cookie then decode after your ajax request, you'll get it!
Maybe there is something I missed and if I did, all my apologies, but i never saw something so stupid. Block third party cookies for security, why not, but let it pass if encoded? Where is the security now?
I hope this post will help somebody and again, if I missed something and I'm dumb, please educate me!
A better solution would be to make an Ajax call inside the iframe to the page that would get/set cookies...
One possible thing to do is to add the domain to allowed sites in tools -> internet options -> privacy -> sites: somedomain.com -> allow -> OK.
In Rails I am using this gem : https://github.com/merchii/rack-iframe Bawically it sets a set of abbreviations without a reference file: https://github.com/merchii/rack-iframe/blob/master/lib/rack/iframe.rb#L8
It is easy to install when you dont care at all about the meaning of the p3p stuff.
Anyone having this problem in node.js.
Then add this p3p module, and enable this module at middleware.
npm install p3p
I am using express so I add it in app.js
First require that module in app.js
var express = require('express');
var app = express();
var p3p = require('p3p');
then use it as middleware
app.use(p3p(p3p.recommended));
It will add p3p headers at res object. No need to do any extra things.
You will get more info at:
I was investigating this problem with regard to login-off via Azure Access Control Services, and wasn't able to connect head and tails of anything.
Then, stumbled over this post https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/
In short, IE doesn't share cookies across zones (eg. Internet vs. Trusted sites).
So, if your IFrame target and html page are in different zone's P3P won't help with anything.
I've spend a large part of my day looking into this P3P thing and I feel the need to share what I've found out.
I've noticed that the P3P concept is very outdated and seems only to be really used/enforced by Internet Explorer (IE).
The simplest explanation is: IE wants you to define a P3P header if you are using cookies.
This is a nice idea, and luckily most of the time not providing this header won't cause any issues (read browser warnings). Unless your website/web application is loaded into an other website using an (i)Frame. This is where IE becomes a massive pain in the ***. It will not allow you to set a cookie unless the P3P header is set.
Knowing this I wanted to find an answer to the following two questions:
My findings are:
The concept was born in 2002 and it baffles me that this outdated and legally unimplemented concept is still forced upon developers within IE. If this header doesn't have have any legal ramifications this header should be ignored (or alternatively, generate a warning or notification in the console). Not enforced! I'm now forced to put a line in my code (and send a header to the client) that does absolutely nothing.
In short - to keep IE happy - add the following line to your PHP code (Other languages should look similar)
header('P3P: CP="Potato"');
Problem solved, and IE is happy with this potato.
This finally worked for me (after a lot of hastle and generating some policies using IBMs policy generator). You can downlod the policy generator here: http://www.softpedia.com/get/Security/Security-Related/P3P-Policy-Editor.shtml
I was not able to download the generator from the official IBM website any more.
I created these files in the root folder of my Web-App
/index.php
/w3c/policy.html (Human readable format)
/w3c/p3p.xml
/w3c/policy.p3p
header('P3P: policyref="/w3c/p3p.xml", CP="ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV DEM"');
<META>
<POLICY-REFERENCES>
<POLICY-REF about="/w3c/policy.p3p#App">
<INCLUDE>/</INCLUDE>
<COOKIE-INCLUDE/>
</POLICY-REF>
</POLICY-REFERENCES>
</META>
<html>_x000D_
<head>_x000D_
<STYLE type="text/css">_x000D_
title { color: #3333FF}_x000D_
</STYLE>_x000D_
<title>Privacy Statement for YOUR COMPANY NAME</title>_x000D_
</head>_x000D_
<body>_x000D_
<h1 class="title">Privacy Policy</h1>_x000D_
<!-- "About Us" section of privacy policy -->_x000D_
<h2>About Us</h2>_x000D_
<p>This is a privacy policy for YOUR COMPANY NAME._x000D_
Our homepage on the Web is located at <a href="YOURWEBSITE">_x000D_
YOURWEBSITE</a>._x000D_
The full text of our privacy policy is available on the Web at _x000D_
<a href="ABSOLUTE URL OF THIS FILE">_x000D_
ABSOLUTE URL OF THIS FILE</a>_x000D_
This policy does not tell users where they can go to exercise their opt-in or opt-out options._x000D_
<p>We invite you to contact us if you have questions about this policy._x000D_
You may contact us by mail at the following address:_x000D_
<pre>FIRSTNAME LASTNAME_x000D_
YOUR ADDRESS HERE_x000D_
</pre>_x000D_
<p>You may contact us by e-mail at _x000D_
<a href="mailto:[email protected]">_x000D_
[email protected]</a>. _x000D_
You may call us at TELEPHONENUMBER._x000D_
<!-- "Privacy Seals" section of privacy policy -->_x000D_
<h2>Dispute Resolution and Privacy Seals</h2>_x000D_
<p>We have the following privacy seals and/or dispute resolution mechanisms._x000D_
If you think we have not followed our privacy policy in some way, they can help you resolve your concern._x000D_
<ul>_x000D_
<li>_x000D_
<b>Dispute</b>:_x000D_
Contact us for further information_x000D_
</ul>_x000D_
<!-- "Additional information" section of privacy policy -->_x000D_
<h2>Additional Information</h2>_x000D_
<p>_x000D_
This policy is valid for 1 day from the time that it is loaded by a client._x000D_
</p>_x000D_
<!-- "Data Collection" section of privacy policy -->_x000D_
<h2>Data Collection</h2>_x000D_
<p>P3P policies declare the data they collect in groups (also referred to as "statements")._x000D_
This policy contains 1 data group._x000D_
<hr width="50%" align="center">_x000D_
<h3>Group "App control data"</h3>_x000D_
<p>We collect the following information:_x000D_
<ul>_x000D_
<li>HTTP cookies</li>_x000D_
</ul>_x000D_
<p>This data will be used for the following purposes:</p>_x000D_
<ul>_x000D_
<li>Completion and support of the current activity.</li>_x000D_
<li>Web site and system administration.</li>_x000D_
<li>Research and development.</li>_x000D_
<li>Historical preservation.</li>_x000D_
<li>Other purposes<p>Control Flow of the application</p></li>_x000D_
</ul>_x000D_
<p>This data will be used by ourselves and our agents._x000D_
<p>The data in this group has been marked as non-identifiable. This means that there is no_x000D_
reasonable way for the site to identify the individual person this data was collected from._x000D_
<p>The following explanation is provided for why this data is collected:</p>_x000D_
<blockquote>This cookie data is only used to control the application within an iframe (e.g. a Facebook App)</blockquote>_x000D_
<!-- "Use of Cookies" section of privacy policy -->_x000D_
<hr width="50%" align="center">_x000D_
<h2>Cookies</h2>_x000D_
<p>Cookies are a technology which can be used to provide you with tailored information from a Web site. A cookie is an element of data that a Web site can send to your browser, which may then store it on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it._x000D_
<p>Our site makes use of cookies._x000D_
Cookies are used for the following purposes:_x000D_
<ul>_x000D_
<li>Site administration_x000D_
<li>Completing the user's current activity_x000D_
<li>Research and development_x000D_
<li>Other_x000D_
(Control Flow of the application)_x000D_
</ul>_x000D_
<!-- "Compact Policy Explanation" section of privacy policy -->_x000D_
<hr width="50%" align="center">_x000D_
<h2>Compact Policy Summary</h2>_x000D_
<p>The compact policy which corresponds to this policy is:_x000D_
<pre>_x000D_
CP="ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV"_x000D_
</pre>_x000D_
<p>The following table explains the meaning of each field in the compact policy._x000D_
<center><table width="80%" border="1" cols="2">_x000D_
<tr><td align="center" valign="top" width="20%"><b>Field</b></td><td align="center" valign="top" width="80%"><b>Meaning</b></td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>CP=</tt></td>_x000D_
<td align="left" valign="top" width="80%">This is the compact policy header; it indicates that what follows is a P3P compact policy.</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>ALL</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
Access to all collected information is available._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>DSP</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The policy contains at least one dispute-resolution mechanism._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>NID</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The information collected is not personally identifiable._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>CURa</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is used for completion of the current activity._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>ADMa</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is used for site administration._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>DEVa</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is used for research and development._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>HISa</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is used for historical archival purposes._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>OTPa</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is used for other purposes._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>OUR</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is given to ourselves and our agents._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>NOR</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is not kept beyond the current transaction._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>NAV</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
Navigation and clickstream data is collected._x000D_
</td></tr>_x000D_
</table></center>_x000D_
<p>The compact policy is sent by the Web server along with the cookies it describes._x000D_
For more information, see the P3P deployment guide at <a href="http://www.w3.org/TR/p3pdeployment">http://www.w3.org/TR/p3pdeployment</a>._x000D_
<!-- "Policy Evaluation" section of privacy policy -->_x000D_
<hr width="50%" align="center">_x000D_
<h2>Policy Evaluation</h2>_x000D_
<p>Microsoft Internet Explorer 6 will evaluate this policy's compact policy whenever it is used with a cookie._x000D_
The actions IE will take depend on what privacy level the user has selected in their browser (Low, Medium, Medium High, or High; the default is Medium._x000D_
In addition, IE will examine whether the cookie's policy is considered satisfactory or unsatisfactory, whether the cookie is a session cookie or a persistent cookie, and whether the cookie is used in a first-party or third-party context._x000D_
This section will attempt to evaluate this policy's compact policy against Microsoft's stated behavior for IE6._x000D_
<p><b>Note:</b> this evaluation is currently experimental and should not be considered a substitute for testing with a real Web browser._x000D_
<p><b>Satisfactory policy</b>: this compact policy is considered <em>satisfactory</em> according to the rules defined by Internet Explorer 6._x000D_
IE6 will accept cookies accompanied by this policy under the High, Medium High, Medium, Low, and Accept All Cookies settings._x000D_
</body></html><?xml version="1.0"?>
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1">
<!-- Generated by IBM P3P Policy Editor version Beta 1.12 built 2/27/04 1:19 PM -->
<!-- Expiry information for this policy -->
<EXPIRY max-age="86400"/>
<POLICY
name="App"
discuri="ABSOLUTE URL TO policy.html"
xml:lang="de">
<!-- Description of the entity making this policy statement. -->
<ENTITY>
<DATA-GROUP>
<DATA ref="#business.name">COMPANY NAME</DATA>
<DATA ref="#business.contact-info.online.email">[email protected]</DATA>
<DATA ref="#business.contact-info.online.uri">YOURWEBSITE</DATA>
<DATA ref="#business.contact-info.telecom.telephone.number">YOURPHONENUMBER</DATA>
<DATA ref="#business.contact-info.postal.organization">FIRSTNAME LASTNAME</DATA>
<DATA ref="#business.contact-info.postal.street">STREET</DATA>
<DATA ref="#business.contact-info.postal.city">CITY</DATA>
<DATA ref="#business.contact-info.postal.stateprov">STAGE</DATA>
<DATA ref="#business.contact-info.postal.postalcode">POSTALCODE</DATA>
<DATA ref="#business.contact-info.postal.country">Germany</DATA>
</DATA-GROUP>
</ENTITY>
<!-- Disclosure -->
<ACCESS><all/></ACCESS>
<!-- Disputes -->
<DISPUTES-GROUP>
<DISPUTES resolution-type="service" service="YOURWEBSITE CONTACT FORM" short-description="Dispute">
<LONG-DESCRIPTION>Contact us for further information</LONG-DESCRIPTION>
<!-- No remedies specified -->
</DISPUTES>
</DISPUTES-GROUP>
<!-- Statement for group "App control data" -->
<STATEMENT>
<EXTENSION optional="yes">
<GROUP-INFO xmlns="http://www.software.ibm.com/P3P/editor/extension-1.0.html" name="App control data"/>
</EXTENSION>
<!-- Consequence -->
<CONSEQUENCE>
This cookie data is only used to control the application within an iframe (e.g. a Facebook App)</CONSEQUENCE>
<!-- Data in this statement is marked as being non-identifiable -->
<NON-IDENTIFIABLE/>
<!-- Use (purpose) -->
<PURPOSE><admin/><current/><develop/><historical/><other-purpose>Control Flow of the application</other-purpose></PURPOSE>
<!-- Recipients -->
<RECIPIENT><ours/></RECIPIENT>
<!-- Retention -->
<RETENTION><no-retention/></RETENTION>
<!-- Base dataschema elements. -->
<DATA-GROUP>
<DATA ref="#dynamic.cookies"><CATEGORIES><navigation/></CATEGORIES></DATA>
</DATA-GROUP>
</STATEMENT>
<!-- End of policy -->
</POLICY>
</POLICIES>
A better solution would be to make an Ajax call inside the iframe to the page that would get/set cookies...
This is a great topic on the issue, however I found that one important detail (which was essential at least in my case) that was not posted here or anywhere else (I apologize if I just missed it) was that the P3P line must be passed in header of EVERY file sent from the 3rd party server, even files not setting or using the cookies such as Javascript files or images. Otherwise the cookies will be blocked. I have more on this in a post here: http://posheika.net/?p=110
I was investigating this problem with regard to login-off via Azure Access Control Services, and wasn't able to connect head and tails of anything.
Then, stumbled over this post https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/
In short, IE doesn't share cookies across zones (eg. Internet vs. Trusted sites).
So, if your IFrame target and html page are in different zone's P3P won't help with anything.
This is buried in the comments of other answers, but I almost missed it, so it seems like it deserves its own answer.
To review: in order for IE to accept 3rd party cookies, you need serve your files with an http header called p3p in the format:
CP="my compact p3p policy"
BUT, p3p is pretty much dead as a standard at this point and you can easily get IE to work without investing the time and legal resources in creating a real p3p policy. This is because if your compact p3p policy header is invalid, IE actually treats it as a good policy and accepts 3rd party cookies. So you can use a p3p header such as this
CP="This site does not have a p3p policy."
You can optionally include a link to a page that explains why you don't have a p3p policy, as Google and Facebook do (they point here: https://support.google.com/accounts/answer/151657 and here: https://www.facebook.com/help/327993273962160/).
Finally, it's important to note that all files served from the 3rd party site need to have the p3p header, not just the one that sets the cookie, so you may not be able to just do this in your PHP, asp.net, etc code. You are probably better off setting in up on the web server level (i.e. in IIS or Apache).
This post provides some commentary on P3P and a short-cut solution that reduces the problems with IE7 and IE8.
One solution that I haven't seen mentioned here, is using session storage instead of cookies. Of course this might not fit everyone's requirements, but for some cases it's an easy fix.
This post provides some commentary on P3P and a short-cut solution that reduces the problems with IE7 and IE8.
If you own the domain that needs to be embedded, then you could, before calling the page that includes the IFrame, redirect to that domain, which will create the cookie and redirect back, as explained here: http://www.mendoweb.be/blog/internet-explorer-safari-third-party-cookie-problem/
This will work for Internet Explorer but for Safari as well (because Safari also blocks the third-party cookies).
You can also combine the p3p.xml and policy.xml files as such:
/home/ubuntu/sites/shared/w3c/p3p.xml
<META xmlns="http://www.w3.org/2002/01/P3Pv1">
<POLICY-REFERENCES>
<POLICY-REF about="#policy1">
<INCLUDE>/</INCLUDE>
<COOKIE-INCLUDE/>
</POLICY-REF>
</POLICY-REFERENCES>
<POLICIES>
<POLICY discuri="" name="policy1">
<ENTITY>
<DATA-GROUP>
<DATA ref="#business.name"></DATA>
<DATA ref="#business.contact-info.online.email"></DATA>
</DATA-GROUP>
</ENTITY>
<ACCESS>
<nonident/>
</ACCESS>
<!-- if the site has a dispute resolution procedure that it follows, a DISPUTES-GROUP should be included here -->
<STATEMENT>
<PURPOSE>
<current/>
<admin/>
<develop/>
</PURPOSE>
<RECIPIENT>
<ours/>
</RECIPIENT>
<RETENTION>
<indefinitely/>
</RETENTION>
<DATA-GROUP>
<DATA ref="#dynamic.clickstream"/>
<DATA ref="#dynamic.http"/>
</DATA-GROUP>
</STATEMENT>
</POLICY>
</POLICIES>
</META>
I found the easiest way to add a header is proxy through Apache and use mod_headers, as such:
<VirtualHost *:80>
ServerName mydomain.com
DocumentRoot /home/ubuntu/sites/shared/w3c/
ProxyRequests off
ProxyPass /w3c/ !
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ProxyPreserveHost on
Header add p3p 'P3P:policyref="/w3c/p3p.xml", CP="NID DSP ALL COR"'
</VirtualHost>
So we proxy all requests except those to /w3c/p3p.xml to our application server.
You can test it all with the W3C validator
A better solution would be to make an Ajax call inside the iframe to the page that would get/set cookies...
I've implemented a full P3P policy before but didn't want go through the hassle again for a new project I was working on. I found this link useful for a simple solution to the problem, only having to specify a minimal compact P3P policy of "CAO PSA OUR":
http://blog.sweetxml.org/2007/10/minimal-p3p-compact-policy-suggestion.html
The article quotes a (now broken) link to a Microsoft kb article. The policy did the trick for me!
If anybody is looking for Apache line; we used this one.
Header set P3P "CP=\"Thanks IE8\""
It really didn't matter what we set CP value to, as long as there is the P3P header.
In Rails 3.2 I am using:
class ApplicationController < ActionController::Base
before_filter :set_p3p
private
# for IE session cookies thru iframe
def set_p3p
headers['P3P'] = 'CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"'
end
end
I got this from: http://dot-net-web-developer-bristol.blogspot.com/2012/04/setting-p3p-header-in-rails-session.html
If anybody is looking for Apache line; we used this one.
Header set P3P "CP=\"Thanks IE8\""
It really didn't matter what we set CP value to, as long as there is the P3P header.
It is only possible if you are able to send custom server-side response headers with the static content.
For a more detailed explanation see my answer here: Set P3P code in HTML
Got similar problem, also went to investigate how to generate the P3P policy this morning, here is my post about how to generate your own policy and use in the web site :) http://everydayopenslikeaflower.blogspot.com/2009/08/how-to-create-p3p-policy-and-implement.html
I had this issue as well, thought I'd post the code that I used in my MVC2 project. Be careful when in the page life cycle you add in the header or you'll get an HttpException "Server cannot append header after HTTP headers have been sent." I used a custom ActionFilterAttribute on the OnActionExecuting method (called before the action is executed).
/// <summary>
/// Privacy Preferences Project (P3P) serve a compact policy (a "p3p" HTTP header) for all requests
/// P3P provides a standard way for Web sites to communicate about their practices around the collection,
/// use, and distribution of personal information. It's a machine-readable privacy policy that can be
/// automatically fetched and viewed by users, and it can be tailored to fit your company's specific policies.
/// </summary>
/// <remarks>
/// More info http://www.oreillynet.com/lpt/a/1554
/// </remarks>
public class P3PAttribute : ActionFilterAttribute
{
/// <summary>
/// On Action Executing add a compact policy "p3p" HTTP header
/// </summary>
/// <param name="filterContext"></param>
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
base.OnActionExecuting(filterContext);
}
}
Example use:
[P3P]
public class HomeController : Controller
{
public ActionResult Index()
{
ViewData["Message"] = "Welcome!";
return View();
}
public ActionResult About()
{
return View();
}
}
If you own the domain that needs to be embedded, then you could, before calling the page that includes the IFrame, redirect to that domain, which will create the cookie and redirect back, as explained here: http://www.mendoweb.be/blog/internet-explorer-safari-third-party-cookie-problem/
This will work for Internet Explorer but for Safari as well (because Safari also blocks the third-party cookies).
This finally worked for me (after a lot of hastle and generating some policies using IBMs policy generator). You can downlod the policy generator here: http://www.softpedia.com/get/Security/Security-Related/P3P-Policy-Editor.shtml
I was not able to download the generator from the official IBM website any more.
I created these files in the root folder of my Web-App
/index.php
/w3c/policy.html (Human readable format)
/w3c/p3p.xml
/w3c/policy.p3p
header('P3P: policyref="/w3c/p3p.xml", CP="ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV DEM"');
<META>
<POLICY-REFERENCES>
<POLICY-REF about="/w3c/policy.p3p#App">
<INCLUDE>/</INCLUDE>
<COOKIE-INCLUDE/>
</POLICY-REF>
</POLICY-REFERENCES>
</META>
<html>_x000D_
<head>_x000D_
<STYLE type="text/css">_x000D_
title { color: #3333FF}_x000D_
</STYLE>_x000D_
<title>Privacy Statement for YOUR COMPANY NAME</title>_x000D_
</head>_x000D_
<body>_x000D_
<h1 class="title">Privacy Policy</h1>_x000D_
<!-- "About Us" section of privacy policy -->_x000D_
<h2>About Us</h2>_x000D_
<p>This is a privacy policy for YOUR COMPANY NAME._x000D_
Our homepage on the Web is located at <a href="YOURWEBSITE">_x000D_
YOURWEBSITE</a>._x000D_
The full text of our privacy policy is available on the Web at _x000D_
<a href="ABSOLUTE URL OF THIS FILE">_x000D_
ABSOLUTE URL OF THIS FILE</a>_x000D_
This policy does not tell users where they can go to exercise their opt-in or opt-out options._x000D_
<p>We invite you to contact us if you have questions about this policy._x000D_
You may contact us by mail at the following address:_x000D_
<pre>FIRSTNAME LASTNAME_x000D_
YOUR ADDRESS HERE_x000D_
</pre>_x000D_
<p>You may contact us by e-mail at _x000D_
<a href="mailto:[email protected]">_x000D_
[email protected]</a>. _x000D_
You may call us at TELEPHONENUMBER._x000D_
<!-- "Privacy Seals" section of privacy policy -->_x000D_
<h2>Dispute Resolution and Privacy Seals</h2>_x000D_
<p>We have the following privacy seals and/or dispute resolution mechanisms._x000D_
If you think we have not followed our privacy policy in some way, they can help you resolve your concern._x000D_
<ul>_x000D_
<li>_x000D_
<b>Dispute</b>:_x000D_
Contact us for further information_x000D_
</ul>_x000D_
<!-- "Additional information" section of privacy policy -->_x000D_
<h2>Additional Information</h2>_x000D_
<p>_x000D_
This policy is valid for 1 day from the time that it is loaded by a client._x000D_
</p>_x000D_
<!-- "Data Collection" section of privacy policy -->_x000D_
<h2>Data Collection</h2>_x000D_
<p>P3P policies declare the data they collect in groups (also referred to as "statements")._x000D_
This policy contains 1 data group._x000D_
<hr width="50%" align="center">_x000D_
<h3>Group "App control data"</h3>_x000D_
<p>We collect the following information:_x000D_
<ul>_x000D_
<li>HTTP cookies</li>_x000D_
</ul>_x000D_
<p>This data will be used for the following purposes:</p>_x000D_
<ul>_x000D_
<li>Completion and support of the current activity.</li>_x000D_
<li>Web site and system administration.</li>_x000D_
<li>Research and development.</li>_x000D_
<li>Historical preservation.</li>_x000D_
<li>Other purposes<p>Control Flow of the application</p></li>_x000D_
</ul>_x000D_
<p>This data will be used by ourselves and our agents._x000D_
<p>The data in this group has been marked as non-identifiable. This means that there is no_x000D_
reasonable way for the site to identify the individual person this data was collected from._x000D_
<p>The following explanation is provided for why this data is collected:</p>_x000D_
<blockquote>This cookie data is only used to control the application within an iframe (e.g. a Facebook App)</blockquote>_x000D_
<!-- "Use of Cookies" section of privacy policy -->_x000D_
<hr width="50%" align="center">_x000D_
<h2>Cookies</h2>_x000D_
<p>Cookies are a technology which can be used to provide you with tailored information from a Web site. A cookie is an element of data that a Web site can send to your browser, which may then store it on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it._x000D_
<p>Our site makes use of cookies._x000D_
Cookies are used for the following purposes:_x000D_
<ul>_x000D_
<li>Site administration_x000D_
<li>Completing the user's current activity_x000D_
<li>Research and development_x000D_
<li>Other_x000D_
(Control Flow of the application)_x000D_
</ul>_x000D_
<!-- "Compact Policy Explanation" section of privacy policy -->_x000D_
<hr width="50%" align="center">_x000D_
<h2>Compact Policy Summary</h2>_x000D_
<p>The compact policy which corresponds to this policy is:_x000D_
<pre>_x000D_
CP="ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV"_x000D_
</pre>_x000D_
<p>The following table explains the meaning of each field in the compact policy._x000D_
<center><table width="80%" border="1" cols="2">_x000D_
<tr><td align="center" valign="top" width="20%"><b>Field</b></td><td align="center" valign="top" width="80%"><b>Meaning</b></td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>CP=</tt></td>_x000D_
<td align="left" valign="top" width="80%">This is the compact policy header; it indicates that what follows is a P3P compact policy.</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>ALL</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
Access to all collected information is available._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>DSP</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The policy contains at least one dispute-resolution mechanism._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>NID</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The information collected is not personally identifiable._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>CURa</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is used for completion of the current activity._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>ADMa</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is used for site administration._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>DEVa</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is used for research and development._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>HISa</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is used for historical archival purposes._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>OTPa</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is used for other purposes._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>OUR</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is given to ourselves and our agents._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>NOR</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
The data is not kept beyond the current transaction._x000D_
</td></tr>_x000D_
<tr><td align="left" valign="top" width="20%"><tt>NAV</tt></td>_x000D_
<td align="left" valign="top" width="80%">_x000D_
Navigation and clickstream data is collected._x000D_
</td></tr>_x000D_
</table></center>_x000D_
<p>The compact policy is sent by the Web server along with the cookies it describes._x000D_
For more information, see the P3P deployment guide at <a href="http://www.w3.org/TR/p3pdeployment">http://www.w3.org/TR/p3pdeployment</a>._x000D_
<!-- "Policy Evaluation" section of privacy policy -->_x000D_
<hr width="50%" align="center">_x000D_
<h2>Policy Evaluation</h2>_x000D_
<p>Microsoft Internet Explorer 6 will evaluate this policy's compact policy whenever it is used with a cookie._x000D_
The actions IE will take depend on what privacy level the user has selected in their browser (Low, Medium, Medium High, or High; the default is Medium._x000D_
In addition, IE will examine whether the cookie's policy is considered satisfactory or unsatisfactory, whether the cookie is a session cookie or a persistent cookie, and whether the cookie is used in a first-party or third-party context._x000D_
This section will attempt to evaluate this policy's compact policy against Microsoft's stated behavior for IE6._x000D_
<p><b>Note:</b> this evaluation is currently experimental and should not be considered a substitute for testing with a real Web browser._x000D_
<p><b>Satisfactory policy</b>: this compact policy is considered <em>satisfactory</em> according to the rules defined by Internet Explorer 6._x000D_
IE6 will accept cookies accompanied by this policy under the High, Medium High, Medium, Low, and Accept All Cookies settings._x000D_
</body></html><?xml version="1.0"?>
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1">
<!-- Generated by IBM P3P Policy Editor version Beta 1.12 built 2/27/04 1:19 PM -->
<!-- Expiry information for this policy -->
<EXPIRY max-age="86400"/>
<POLICY
name="App"
discuri="ABSOLUTE URL TO policy.html"
xml:lang="de">
<!-- Description of the entity making this policy statement. -->
<ENTITY>
<DATA-GROUP>
<DATA ref="#business.name">COMPANY NAME</DATA>
<DATA ref="#business.contact-info.online.email">[email protected]</DATA>
<DATA ref="#business.contact-info.online.uri">YOURWEBSITE</DATA>
<DATA ref="#business.contact-info.telecom.telephone.number">YOURPHONENUMBER</DATA>
<DATA ref="#business.contact-info.postal.organization">FIRSTNAME LASTNAME</DATA>
<DATA ref="#business.contact-info.postal.street">STREET</DATA>
<DATA ref="#business.contact-info.postal.city">CITY</DATA>
<DATA ref="#business.contact-info.postal.stateprov">STAGE</DATA>
<DATA ref="#business.contact-info.postal.postalcode">POSTALCODE</DATA>
<DATA ref="#business.contact-info.postal.country">Germany</DATA>
</DATA-GROUP>
</ENTITY>
<!-- Disclosure -->
<ACCESS><all/></ACCESS>
<!-- Disputes -->
<DISPUTES-GROUP>
<DISPUTES resolution-type="service" service="YOURWEBSITE CONTACT FORM" short-description="Dispute">
<LONG-DESCRIPTION>Contact us for further information</LONG-DESCRIPTION>
<!-- No remedies specified -->
</DISPUTES>
</DISPUTES-GROUP>
<!-- Statement for group "App control data" -->
<STATEMENT>
<EXTENSION optional="yes">
<GROUP-INFO xmlns="http://www.software.ibm.com/P3P/editor/extension-1.0.html" name="App control data"/>
</EXTENSION>
<!-- Consequence -->
<CONSEQUENCE>
This cookie data is only used to control the application within an iframe (e.g. a Facebook App)</CONSEQUENCE>
<!-- Data in this statement is marked as being non-identifiable -->
<NON-IDENTIFIABLE/>
<!-- Use (purpose) -->
<PURPOSE><admin/><current/><develop/><historical/><other-purpose>Control Flow of the application</other-purpose></PURPOSE>
<!-- Recipients -->
<RECIPIENT><ours/></RECIPIENT>
<!-- Retention -->
<RETENTION><no-retention/></RETENTION>
<!-- Base dataschema elements. -->
<DATA-GROUP>
<DATA ref="#dynamic.cookies"><CATEGORIES><navigation/></CATEGORIES></DATA>
</DATA-GROUP>
</STATEMENT>
<!-- End of policy -->
</POLICY>
</POLICIES>
Source: Stackoverflow.com