Cookie blocked not saved in IFRAME in Internet Explorer

Question

I have two websites  let s say they re example com and anotherexample net  On anotherexample net page html  I have an IFRAME SRC  http   example com someform asp   That IFRAME displays a form for the user to fill out and submit to http   example com process asp  When I open the form   someform asp   in its own browser window  all works well  However  when I load someform asp as an IFRAME in IE 6 or IE 7  the cookies for example com are not saved  In Firefox this problem doesn t appear   For testing purposes  I ve created a similar setup on http   newmoon wz cz test page php    example com uses cookie-based sessions  and there s nothing I can do about that   so without cookies  process asp won t execute  How do I force IE to save those cookies   Results of sniffing the HTTP traffic  on GET  someform asp response  there s a valid per-session Set-Cookie header  e g  Set-Cookie  ASPKSJIUIUGF JKHJUHVGFYTTYFY   but on POST  process asp request  there is no Cookie header at all   Edit3  some AJAX serverside scripting is apparently capable to sidestep the problem  but that looks very much like a bug  plus it opens a whole new set of security holes  I don t want my applications to use a combination of bug security hole just because it s easy   Edit  the P3P policy was the root cause  full explanation below

User · Answer

I know it s a bit late to put my contribution on this subject but I lost so many hours that maybe this answer will help somebody   I was trying to call a third party cookie on my site and of course it was not working on Internet Explorer 10  even at a low security level    don t ask me why  In the iframe I was calling a read cookie php  echo   COOKIE  with ajax   And I don t know why I was incapable of setting the P3P policy to solve the problem     During my search I saw something about getting the cookie in JSON working  I don t even try because I thought that if the cookie won t pass through an iframe  it will not pass any more through an array     Guess what  it does  So if you json encode your cookie then decode after your ajax request  you ll get it   Maybe there is something I missed and if I did  all my apologies  but i never saw something so stupid  Block third party cookies for security  why not  but let it pass if encoded  Where is the security now   I hope this post will help somebody and again  if I missed something and I m dumb  please educate me

User · Answer

This is buried in the comments of other answers  but I almost missed it  so it seems like it deserves its own answer   To review  in order for IE to accept 3rd party cookies  you need serve your files with an http header called p3p in the format   CP  my compact p3p policy    BUT  p3p is pretty much dead as a standard at this point and you can easily get IE to work without investing the time and legal resources in creating a real p3p policy   This is because if your compact p3p policy header is invalid  IE actually treats it as a good policy and accepts 3rd party cookies   So you can use a p3p header such as this  CP  This site does not have a p3p policy     You can optionally include a link to a page that explains why you don t have a p3p policy  as Google and Facebook do  they point here  https   support google com accounts answer 151657 and  here  https   www facebook com help 327993273962160     Finally  it s important to note that all files served from the 3rd party site need to have the p3p header  not just the one that sets the cookie  so you may not be able to just do this in your PHP  asp net  etc code   You are probably better off setting in up on the web server level  i e  in IIS or Apache

User · Answer

I got it to work  but the solution is a bit complex  so bear with me   What s happening  As it is  Internet Explorer gives lower level of trust to IFRAME pages  IE calls this  third-party  content   If the page inside the IFRAME doesn t have a Privacy Policy  its cookies are blocked  which is indicated by the eye icon in status bar  when you click on it  it shows you a list of blocked URLs      source  piskvor org     In this case  when cookies are blocked  session identifier is not sent  and the target script throws a  session not found  error    I ve tried setting the session identifier into the form and loading it from POST variables  This would have worked  but for political reasons I couldn t do that    It is possible to make the page inside the IFRAME more trusted  if the inner page sends a P3P header with a privacy policy that is acceptable to IE  the cookies will be accepted    How to solve it  Create a p3p policy  A good starting point is the W3C tutorial  I ve gone through it  downloaded the IBM Privacy Policy Editor and there I created a representation of the privacy policy and gave it a name to reference it by  here it was policy1     NOTE  at this point  you actually need to find out if your site has a privacy policy  and if not  create it - whether it collects user data  what kind of data  what it does with it  who has access to it  etc  You need to find this information and think about it  Just slapping together a few tags will not cut it  This step cannot be done purely in software  and may be highly political  e g   should we sell our click statistics       e g   the site is operated by ACME Ltd   it uses anonymous per-session identifiers for its operation  collects user data only if explicitly permitted and only for the following purposes  the data is stored only as long as necessary  only our company has access to it  etc  etc        When editing with this tool  it s possible to view errors omissions in the policy  Also very useful is the tab  HTML Policy   at the bottom  it has a  Policy Evaluation  - a quick check if the policy will be blocked by IE s default settings   The Editor exports to a  p3p file  which is an XML representation of the above policy  Also  it can export a  compact version  of this policy   Link to the policy  Then a Policy Reference file  http   example com w3c p3p xml  was needed  an index of privacy policies the site uses     lt META gt     lt POLICY-REFERENCES gt       lt POLICY-REF about   w3c example-com p3p policy1  gt         lt INCLUDE gt   lt  INCLUDE gt         lt COOKIE-INCLUDE  gt       lt  POLICY-REF gt     lt  POLICY-REFERENCES gt   lt  META gt    The  lt INCLUDE gt  shows all URIs that will use this policy  in my case  the whole site   The policy file I ve exported from the Editor was uploaded to http   example com w3c example-com p3p   Send the compact header with responses  I ve set the webserver at example com to send the compact header with responses  like this   HTTP 1 1 200 OK  P3P  policyref   w3c p3p xml   CP  IDC DSP COR IVAi IVDi OUR TST         other headers and content   policyref is a relative URI to the Policy Reference file  which in turn references the privacy policies   CP is the compact policy representation  Note that the combination of P3P headers in the example may not be applicable on your specific website  your P3P headers MUST truthfully represent your own privacy policy   Profit   In this configuration  the Evil Eye does not appear  the cookies are saved even in the IFRAME  and the application works   Edit  What NOT to do  unless you like defending from lawsuits  Several people have suggested  just slap some tags into your P3P header  until the Evil Eye gives up    The tags are not only a bunch of bits  they have real world meanings  and their use gives you real world responsibilities    For example  pretending that you never collect user data might make the browser happy  but if you actually collect user data  the P3P is conflicting with reality  Plain and simple  you are purposefully lying to your users  and that might be criminal behavior in some countries  As in   go to jail  do not collect  200    A few examples  see p3pwriter for the full set of tags     NOI    Web Site does not collected identified data    as soon as there s any customization  a login  or any data collection        Analytics  anyone    you must acknowledge it in your P3P  STP  Information is retained to meet the stated purpose  This requires information to be discarded at the earliest time possible  Sites MUST have a retention policy that establishes a destruction time table  The retention policy MUST be included in or linked from the site s human-readable privacy policy    so if you send STP but don t have a retention policy  you may be committing fraud  How cool is that  Not at all     I m not a lawyer  but I m not willing to go to court to see if the P3P header is really legally binding or if you can promise your users anything without actually willing to honor your promises

User · Answer

In Rails I am using this gem   https   github com merchii rack-iframe Bawically it sets a set of abbreviations without a reference file  https   github com merchii rack-iframe blob master lib rack iframe rb L8  It is easy to install when you dont care at all about the meaning of the p3p stuff

User · Answer

I got it to work  but the solution is a bit complex  so bear with me   What s happening  As it is  Internet Explorer gives lower level of trust to IFRAME pages  IE calls this  third-party  content   If the page inside the IFRAME doesn t have a Privacy Policy  its cookies are blocked  which is indicated by the eye icon in status bar  when you click on it  it shows you a list of blocked URLs      source  piskvor org     In this case  when cookies are blocked  session identifier is not sent  and the target script throws a  session not found  error    I ve tried setting the session identifier into the form and loading it from POST variables  This would have worked  but for political reasons I couldn t do that    It is possible to make the page inside the IFRAME more trusted  if the inner page sends a P3P header with a privacy policy that is acceptable to IE  the cookies will be accepted    How to solve it  Create a p3p policy  A good starting point is the W3C tutorial  I ve gone through it  downloaded the IBM Privacy Policy Editor and there I created a representation of the privacy policy and gave it a name to reference it by  here it was policy1     NOTE  at this point  you actually need to find out if your site has a privacy policy  and if not  create it - whether it collects user data  what kind of data  what it does with it  who has access to it  etc  You need to find this information and think about it  Just slapping together a few tags will not cut it  This step cannot be done purely in software  and may be highly political  e g   should we sell our click statistics       e g   the site is operated by ACME Ltd   it uses anonymous per-session identifiers for its operation  collects user data only if explicitly permitted and only for the following purposes  the data is stored only as long as necessary  only our company has access to it  etc  etc        When editing with this tool  it s possible to view errors omissions in the policy  Also very useful is the tab  HTML Policy   at the bottom  it has a  Policy Evaluation  - a quick check if the policy will be blocked by IE s default settings   The Editor exports to a  p3p file  which is an XML representation of the above policy  Also  it can export a  compact version  of this policy   Link to the policy  Then a Policy Reference file  http   example com w3c p3p xml  was needed  an index of privacy policies the site uses     lt META gt     lt POLICY-REFERENCES gt       lt POLICY-REF about   w3c example-com p3p policy1  gt         lt INCLUDE gt   lt  INCLUDE gt         lt COOKIE-INCLUDE  gt       lt  POLICY-REF gt     lt  POLICY-REFERENCES gt   lt  META gt    The  lt INCLUDE gt  shows all URIs that will use this policy  in my case  the whole site   The policy file I ve exported from the Editor was uploaded to http   example com w3c example-com p3p   Send the compact header with responses  I ve set the webserver at example com to send the compact header with responses  like this   HTTP 1 1 200 OK  P3P  policyref   w3c p3p xml   CP  IDC DSP COR IVAi IVDi OUR TST         other headers and content   policyref is a relative URI to the Policy Reference file  which in turn references the privacy policies   CP is the compact policy representation  Note that the combination of P3P headers in the example may not be applicable on your specific website  your P3P headers MUST truthfully represent your own privacy policy   Profit   In this configuration  the Evil Eye does not appear  the cookies are saved even in the IFRAME  and the application works   Edit  What NOT to do  unless you like defending from lawsuits  Several people have suggested  just slap some tags into your P3P header  until the Evil Eye gives up    The tags are not only a bunch of bits  they have real world meanings  and their use gives you real world responsibilities    For example  pretending that you never collect user data might make the browser happy  but if you actually collect user data  the P3P is conflicting with reality  Plain and simple  you are purposefully lying to your users  and that might be criminal behavior in some countries  As in   go to jail  do not collect  200    A few examples  see p3pwriter for the full set of tags     NOI    Web Site does not collected identified data    as soon as there s any customization  a login  or any data collection        Analytics  anyone    you must acknowledge it in your P3P  STP  Information is retained to meet the stated purpose  This requires information to be discarded at the earliest time possible  Sites MUST have a retention policy that establishes a destruction time table  The retention policy MUST be included in or linked from the site s human-readable privacy policy    so if you send STP but don t have a retention policy  you may be committing fraud  How cool is that  Not at all     I m not a lawyer  but I m not willing to go to court to see if the P3P header is really legally binding or if you can promise your users anything without actually willing to honor your promises

User · Answer

Anyone having this problem in node js   Then add this p3p module  and enable this module at middleware   npm install p3p   I am using express so I add it in app js  First require that module in app js  var express   require  express    var app   express    var p3p   require  p3p      then use it as middleware  app use p3p p3p recommended      It will add p3p headers at res object  No need to do any extra things   You will get more info at   https   github com troygoode node-p3p

User · Answer

This post provides some commentary on P3P and a short-cut solution that reduces the problems with IE7 and IE8

User · Answer

I was able to make the evil eye go away by simply adding this small header to the site in the IFrame  PHP solution    header  P3P  CP  NOI ADM DEV COM NAV OUR STP       Remember to press ctrl F5 to reload your site or Explorer may still show the evil eye  despite the fact that it s working fine  This is probably the main reason why I had so many problems getting it to work   No policy file was neccesary at all   Edit  I found a nice blog entry that explains the problem with cookies in IFrames  It also has a quick fix in C  code  Frames  ASPX Pages and Rejected Cookies

User · Answer

I was able to make the evil eye go away by simply adding this small header to the site in the IFrame  PHP solution    header  P3P  CP  NOI ADM DEV COM NAV OUR STP       Remember to press ctrl F5 to reload your site or Explorer may still show the evil eye  despite the fact that it s working fine  This is probably the main reason why I had so many problems getting it to work   No policy file was neccesary at all   Edit  I found a nice blog entry that explains the problem with cookies in IFrames  It also has a quick fix in C  code  Frames  ASPX Pages and Rejected Cookies

User · Answer

You can also combine the p3p xml and policy xml files as such    home ubuntu sites shared w3c p3p xml   lt META xmlns  http   www w3 org 2002 01 P3Pv1  gt     lt POLICY-REFERENCES gt       lt POLICY-REF about   policy1  gt         lt INCLUDE gt   lt  INCLUDE gt         lt COOKIE-INCLUDE  gt       lt  POLICY-REF gt     lt  POLICY-REFERENCES gt     lt POLICIES gt       lt POLICY discuri    name  policy1  gt         lt ENTITY gt           lt DATA-GROUP gt             lt DATA ref   business name  gt  lt  DATA gt              lt DATA ref   business contact-info online email  gt  lt  DATA gt            lt  DATA-GROUP gt         lt  ENTITY gt         lt ACCESS gt           lt nonident  gt         lt  ACCESS gt         lt  -- if the site has a dispute resolution procedure that it follows  a DISPUTES-GROUP should be included here -- gt         lt STATEMENT gt           lt PURPOSE gt             lt current  gt             lt admin  gt             lt develop  gt           lt  PURPOSE gt           lt RECIPIENT gt             lt ours  gt           lt  RECIPIENT gt           lt RETENTION gt             lt indefinitely  gt           lt  RETENTION gt           lt DATA-GROUP gt             lt DATA ref   dynamic clickstream   gt             lt DATA ref   dynamic http   gt           lt  DATA-GROUP gt         lt  STATEMENT gt       lt  POLICY gt     lt  POLICIES gt   lt  META gt    I found the easiest way to add a header is proxy through Apache and use mod headers  as such    lt VirtualHost   80 gt    ServerName mydomain com    DocumentRoot  home ubuntu sites shared w3c     ProxyRequests off   ProxyPass  w3c      ProxyPass   http   127 0 0 1 8080    ProxyPassReverse   http   127 0 0 1 8080    ProxyPreserveHost on    Header add p3p  P3P policyref   w3c p3p xml   CP  NID DSP ALL COR    lt  VirtualHost gt    So we proxy all requests except those to  w3c p3p xml to our application server   You can test it all with the W3C validator

User · Answer

Got similar problem  also went to investigate how to generate the P3P policy this morning  here is my post about how to generate your own policy and use in the web site    http   everydayopenslikeaflower blogspot com 2009 08 how-to-create-p3p-policy-and-implement html

User · Answer

A better solution would be to make an Ajax call inside the iframe to the page that would get set cookies

User · Answer

One possible thing to do is to add the domain to allowed sites in tools -  internet options -  privacy -  sites  somedomain com -  allow -  OK

User · Answer

This finally worked for me  after a lot of hastle and generating some policies using IBMs policy generator   You can downlod the policy generator here  http   www softpedia com get Security Security-Related P3P-Policy-Editor shtml  I was not able to download the generator from the official IBM website any more   I created these files in the root folder of my Web-App   index php  w3c policy html  Human readable format   w3c p3p xml  w3c policy p3p    Index php  Just send an additional header    header  P3P  policyref   w3c p3p xml   CP  ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV DEM        Content of p3p xml    lt META gt       lt POLICY-REFERENCES gt           lt POLICY-REF about   w3c policy p3p App  gt               lt INCLUDE gt   lt  INCLUDE gt               lt COOKIE-INCLUDE  gt           lt  POLICY-REF gt       lt  POLICY-REFERENCES gt   lt  META gt     Content of my policy html file    x000D   x000D   lt html gt  x000D   lt head gt  x000D   lt STYLE type  text css  gt  x000D  title   color   3333FF  x000D   lt  STYLE gt  x000D   lt title gt Privacy Statement for YOUR COMPANY NAME lt  title gt  x000D   lt  head gt  x000D   lt body gt  x000D   lt h1 class  title  gt Privacy Policy lt  h1 gt  x000D   lt  --  About Us  section of privacy policy -- gt  x000D   lt h2 gt About Us lt  h2 gt  x000D   lt p gt This is a privacy policy for YOUR COMPANY NAME  x000D  Our homepage on the Web is located at  lt a href  YOURWEBSITE  gt  x000D  YOURWEBSITE lt  a gt   x000D  The full text of our privacy policy is available on the Web at  x000D   lt a href  ABSOLUTE URL OF THIS FILE  gt  x000D  ABSOLUTE URL OF THIS FILE lt  a gt  x000D  This policy does not tell users where they can go to exercise their opt-in or opt-out options  x000D   lt p gt We invite you to contact us if you have questions about this policy  x000D  You may contact us by mail at the following address  x000D   lt pre gt FIRSTNAME LASTNAME x000D  YOUR ADDRESS HERE x000D   lt  pre gt  x000D   lt p gt You may contact us by e-mail at  x000D   lt a href  mailto info YOURMAIL de  gt  x000D  info YOURMAIL eu lt  a gt    x000D  You may call us at TELEPHONENUMBER  x000D   lt  --  Privacy Seals  section of privacy policy -- gt  x000D   lt h2 gt Dispute Resolution and Privacy Seals lt  h2 gt  x000D   lt p gt We have the following privacy seals and or dispute resolution mechanisms  x000D  If you think we have not followed our privacy policy in some way  they can help you resolve your concern  x000D   lt ul gt  x000D   lt li gt  x000D   lt b gt Dispute lt  b gt   x000D  Contact us for further information x000D   lt  ul gt  x000D   lt  --  Additional information  section of privacy policy -- gt  x000D   lt h2 gt Additional Information lt  h2 gt  x000D   lt p gt  x000D  This policy is valid for 1 day from the time that it is loaded by a client  x000D   lt  p gt  x000D   lt  --  Data Collection  section of privacy policy -- gt  x000D   lt h2 gt Data Collection lt  h2 gt  x000D   lt p gt P3P policies declare the data they collect in groups  also referred to as  statements    x000D  This policy contains 1 data group  x000D   lt hr width  50   align  center  gt  x000D   lt h3 gt Group  App control data  lt  h3 gt  x000D   lt p gt We collect the following information  x000D   lt ul gt  x000D   lt li gt HTTP cookies lt  li gt  x000D   lt  ul gt  x000D   lt p gt This data will be used for the following purposes  lt  p gt  x000D   lt ul gt  x000D   lt li gt Completion and support of the current activity  lt  li gt  x000D   lt li gt Web site and system administration  lt  li gt  x000D   lt li gt Research and development  lt  li gt  x000D   lt li gt Historical preservation  lt  li gt  x000D   lt li gt Other purposes lt p gt Control Flow of the application lt  p gt  lt  li gt  x000D   lt  ul gt  x000D   lt p gt This data will be used by ourselves and our agents  x000D   lt p gt The data in this group has been marked as non-identifiable  This means that there is no x000D  reasonable way for the site to identify the individual person this data was collected from  x000D   lt p gt The following explanation is provided for why this data is collected  lt  p gt  x000D   lt blockquote gt This cookie data is only used to control the application within an iframe  e g  a Facebook App  lt  blockquote gt  x000D   lt  --  Use of Cookies  section of privacy policy -- gt  x000D   lt hr width  50   align  center  gt  x000D   lt h2 gt Cookies lt  h2 gt  x000D   lt p gt Cookies are a technology which can be used to provide you with tailored information from a Web site  A cookie is an element of data that a Web site can send to your browser  which may then store it on your system  You can set your browser to notify you when you receive a cookie  giving you the chance to decide whether to accept it  x000D   lt p gt Our site makes use of cookies  x000D  Cookies are used for the following purposes  x000D   lt ul gt  x000D   lt li gt Site administration x000D   lt li gt Completing the user s current activity x000D   lt li gt Research and development x000D   lt li gt Other x000D   Control Flow of the application  x000D   lt  ul gt  x000D   lt  --  Compact Policy Explanation  section of privacy policy -- gt  x000D   lt hr width  50   align  center  gt  x000D   lt h2 gt Compact Policy Summary lt  h2 gt  x000D   lt p gt The compact policy which corresponds to this policy is  x000D   lt pre gt  x000D      CP  ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV  x000D   lt  pre gt  x000D   lt p gt The following table explains the meaning of each field in the compact policy  x000D   lt center gt  lt table width  80   border  1  cols  2  gt  x000D   lt tr gt  lt td align  center  valign  top  width  20   gt  lt b gt Field lt  b gt  lt  td gt  lt td align  center  valign  top  width  80   gt  lt b gt Meaning lt  b gt  lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt CP  lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt This is the compact policy header  it indicates that what follows is a P3P compact policy  lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt ALL lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  Access to all collected information is available  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt DSP lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The policy contains at least one dispute-resolution mechanism  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt NID lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The information collected is not personally identifiable  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt CURa lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is used for completion of the current activity  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt ADMa lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is used for site administration  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt DEVa lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is used for research and development  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt HISa lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is used for historical archival purposes  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt OTPa lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is used for other purposes  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt OUR lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is given to ourselves and our agents  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt NOR lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is not kept beyond the current transaction  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt NAV lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  Navigation and clickstream data is collected  x000D   lt  td gt  lt  tr gt  x000D   lt  table gt  lt  center gt  x000D   lt p gt The compact policy is sent by the Web server along with the cookies it describes  x000D  For more information  see the P3P deployment guide at  lt a href  http   www w3 org TR p3pdeployment  gt http   www w3 org TR p3pdeployment lt  a gt   x000D   lt  --  Policy Evaluation  section of privacy policy -- gt  x000D   lt hr width  50   align  center  gt  x000D   lt h2 gt Policy Evaluation lt  h2 gt  x000D   lt p gt Microsoft Internet Explorer 6 will evaluate this policy s compact policy whenever it is used with a cookie  x000D  The actions IE will take depend on what privacy level the user has selected in their browser  Low  Medium  Medium High  or High  the default is Medium  x000D  In addition  IE will examine whether the cookie s policy is considered satisfactory or unsatisfactory  whether the cookie is a session cookie or a persistent cookie  and whether the cookie is used in a first-party or third-party context  x000D  This section will attempt to evaluate this policy s compact policy against Microsoft s stated behavior for IE6  x000D   lt p gt  lt b gt Note  lt  b gt  this evaluation is currently experimental and should not be considered a substitute for testing with a real Web browser  x000D   lt p gt  lt b gt Satisfactory policy lt  b gt   this compact policy is considered  lt em gt satisfactory lt  em gt  according to the rules defined by Internet Explorer 6  x000D  IE6 will accept cookies accompanied by this policy under the High  Medium High  Medium  Low  and Accept All Cookies settings  x000D   lt  body gt  lt  html gt  x000D   x000D   x000D     Content of policy p3p    lt  xml version  1 0   gt   lt POLICIES xmlns  http   www w3 org 2002 01 P3Pv1  gt       lt  -- Generated by IBM P3P Policy Editor version Beta 1 12 built 2 27 04 1 19 PM -- gt        lt  -- Expiry information for this policy -- gt       lt EXPIRY max-age  86400   gt    lt POLICY     name  App      discuri  ABSOLUTE URL TO policy html      xml lang  de  gt       lt  -- Description of the entity making this policy statement  -- gt       lt ENTITY gt       lt DATA-GROUP gt   lt DATA ref   business name  gt COMPANY NAME lt  DATA gt   lt DATA ref   business contact-info online email  gt info YOURMAIL eu lt  DATA gt   lt DATA ref   business contact-info online uri  gt YOURWEBSITE lt  DATA gt   lt DATA ref   business contact-info telecom telephone number  gt YOURPHONENUMBER lt  DATA gt   lt DATA ref   business contact-info postal organization  gt FIRSTNAME LASTNAME lt  DATA gt   lt DATA ref   business contact-info postal street  gt STREET lt  DATA gt   lt DATA ref   business contact-info postal city  gt CITY lt  DATA gt   lt DATA ref   business contact-info postal stateprov  gt STAGE lt  DATA gt   lt DATA ref   business contact-info postal postalcode  gt POSTALCODE lt  DATA gt   lt DATA ref   business contact-info postal country  gt Germany lt  DATA gt       lt  DATA-GROUP gt       lt  ENTITY gt        lt  -- Disclosure -- gt       lt ACCESS gt  lt all  gt  lt  ACCESS gt         lt  -- Disputes -- gt       lt DISPUTES-GROUP gt           lt DISPUTES resolution-type  service  service  YOURWEBSITE CONTACT FORM  short-description  Dispute  gt               lt LONG-DESCRIPTION gt Contact us for further information lt  LONG-DESCRIPTION gt       lt  -- No remedies specified -- gt           lt  DISPUTES gt       lt  DISPUTES-GROUP gt        lt  -- Statement for group  App control data  -- gt       lt STATEMENT gt           lt EXTENSION optional  yes  gt               lt GROUP-INFO xmlns  http   www software ibm com P3P editor extension-1 0 html  name  App control data   gt           lt  EXTENSION gt        lt  -- Consequence -- gt       lt CONSEQUENCE gt  This cookie data is only used to control the application within an iframe  e g  a Facebook App  lt  CONSEQUENCE gt        lt  -- Data in this statement is marked as being non-identifiable -- gt       lt NON-IDENTIFIABLE  gt        lt  -- Use  purpose  -- gt       lt PURPOSE gt  lt admin  gt  lt current  gt  lt develop  gt  lt historical  gt  lt other-purpose gt Control Flow of the application lt  other-purpose gt  lt  PURPOSE gt        lt  -- Recipients -- gt       lt RECIPIENT gt  lt ours  gt  lt  RECIPIENT gt        lt  -- Retention -- gt       lt RETENTION gt  lt no-retention  gt  lt  RETENTION gt        lt  -- Base dataschema elements  -- gt       lt DATA-GROUP gt       lt DATA ref   dynamic cookies  gt  lt CATEGORIES gt  lt navigation  gt  lt  CATEGORIES gt  lt  DATA gt       lt  DATA-GROUP gt   lt  STATEMENT gt    lt  -- End of policy -- gt   lt  POLICY gt   lt  POLICIES gt

User · Answer

One solution that I haven t seen mentioned here  is using session storage instead of cookies  Of course this might not fit everyone s requirements  but for some cases it s an easy fix

User · Answer

Got similar problem  also went to investigate how to generate the P3P policy this morning  here is my post about how to generate your own policy and use in the web site    http   everydayopenslikeaflower blogspot com 2009 08 how-to-create-p3p-policy-and-implement html

User · Answer

In Rails I am using this gem   https   github com merchii rack-iframe Bawically it sets a set of abbreviations without a reference file  https   github com merchii rack-iframe blob master lib rack iframe rb L8  It is easy to install when you dont care at all about the meaning of the p3p stuff

User · Answer

I had this issue as well  thought I d post the code that I used in my MVC2 project  Be careful when in the page life cycle you add in the header or you ll get an HttpException  Server cannot append header after HTTP headers have been sent   I used a custom ActionFilterAttribute on the OnActionExecuting method  called before the action is executed         lt summary gt      Privacy Preferences Project  P3P  serve a compact policy  a  p3p  HTTP header  for all requests     P3P provides a standard way for Web sites to communicate about their practices around the collection       use  and distribution of personal information  It s a machine-readable privacy policy that can be      automatically fetched and viewed by users  and it can be tailored to fit your company s specific policies       lt  summary gt       lt remarks gt      More info http   www oreillynet com lpt a 1554      lt  remarks gt  public class P3PAttribute   ActionFilterAttribute            lt summary gt          On Action Executing add a compact policy  p3p  HTTP header          lt  summary gt           lt param name  filterContext  gt  lt  param gt      public override void OnActionExecuting ActionExecutingContext filterContext                HttpContext Current Response AddHeader  p3p   CP   IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT               base OnActionExecuting filterContext             Example use    P3P  public class HomeController   Controller       public ActionResult Index                 ViewData  Message      Welcome             return View               public ActionResult About                 return View

User · Answer

One solution that I haven t seen mentioned here  is using session storage instead of cookies  Of course this might not fit everyone s requirements  but for some cases it s an easy fix

User · Answer

This post provides some commentary on P3P and a short-cut solution that reduces the problems with IE7 and IE8

User · Answer

This finally worked for me  after a lot of hastle and generating some policies using IBMs policy generator   You can downlod the policy generator here  http   www softpedia com get Security Security-Related P3P-Policy-Editor shtml  I was not able to download the generator from the official IBM website any more   I created these files in the root folder of my Web-App   index php  w3c policy html  Human readable format   w3c p3p xml  w3c policy p3p    Index php  Just send an additional header    header  P3P  policyref   w3c p3p xml   CP  ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV DEM        Content of p3p xml    lt META gt       lt POLICY-REFERENCES gt           lt POLICY-REF about   w3c policy p3p App  gt               lt INCLUDE gt   lt  INCLUDE gt               lt COOKIE-INCLUDE  gt           lt  POLICY-REF gt       lt  POLICY-REFERENCES gt   lt  META gt     Content of my policy html file    x000D   x000D   lt html gt  x000D   lt head gt  x000D   lt STYLE type  text css  gt  x000D  title   color   3333FF  x000D   lt  STYLE gt  x000D   lt title gt Privacy Statement for YOUR COMPANY NAME lt  title gt  x000D   lt  head gt  x000D   lt body gt  x000D   lt h1 class  title  gt Privacy Policy lt  h1 gt  x000D   lt  --  About Us  section of privacy policy -- gt  x000D   lt h2 gt About Us lt  h2 gt  x000D   lt p gt This is a privacy policy for YOUR COMPANY NAME  x000D  Our homepage on the Web is located at  lt a href  YOURWEBSITE  gt  x000D  YOURWEBSITE lt  a gt   x000D  The full text of our privacy policy is available on the Web at  x000D   lt a href  ABSOLUTE URL OF THIS FILE  gt  x000D  ABSOLUTE URL OF THIS FILE lt  a gt  x000D  This policy does not tell users where they can go to exercise their opt-in or opt-out options  x000D   lt p gt We invite you to contact us if you have questions about this policy  x000D  You may contact us by mail at the following address  x000D   lt pre gt FIRSTNAME LASTNAME x000D  YOUR ADDRESS HERE x000D   lt  pre gt  x000D   lt p gt You may contact us by e-mail at  x000D   lt a href  mailto info YOURMAIL de  gt  x000D  info YOURMAIL eu lt  a gt    x000D  You may call us at TELEPHONENUMBER  x000D   lt  --  Privacy Seals  section of privacy policy -- gt  x000D   lt h2 gt Dispute Resolution and Privacy Seals lt  h2 gt  x000D   lt p gt We have the following privacy seals and or dispute resolution mechanisms  x000D  If you think we have not followed our privacy policy in some way  they can help you resolve your concern  x000D   lt ul gt  x000D   lt li gt  x000D   lt b gt Dispute lt  b gt   x000D  Contact us for further information x000D   lt  ul gt  x000D   lt  --  Additional information  section of privacy policy -- gt  x000D   lt h2 gt Additional Information lt  h2 gt  x000D   lt p gt  x000D  This policy is valid for 1 day from the time that it is loaded by a client  x000D   lt  p gt  x000D   lt  --  Data Collection  section of privacy policy -- gt  x000D   lt h2 gt Data Collection lt  h2 gt  x000D   lt p gt P3P policies declare the data they collect in groups  also referred to as  statements    x000D  This policy contains 1 data group  x000D   lt hr width  50   align  center  gt  x000D   lt h3 gt Group  App control data  lt  h3 gt  x000D   lt p gt We collect the following information  x000D   lt ul gt  x000D   lt li gt HTTP cookies lt  li gt  x000D   lt  ul gt  x000D   lt p gt This data will be used for the following purposes  lt  p gt  x000D   lt ul gt  x000D   lt li gt Completion and support of the current activity  lt  li gt  x000D   lt li gt Web site and system administration  lt  li gt  x000D   lt li gt Research and development  lt  li gt  x000D   lt li gt Historical preservation  lt  li gt  x000D   lt li gt Other purposes lt p gt Control Flow of the application lt  p gt  lt  li gt  x000D   lt  ul gt  x000D   lt p gt This data will be used by ourselves and our agents  x000D   lt p gt The data in this group has been marked as non-identifiable  This means that there is no x000D  reasonable way for the site to identify the individual person this data was collected from  x000D   lt p gt The following explanation is provided for why this data is collected  lt  p gt  x000D   lt blockquote gt This cookie data is only used to control the application within an iframe  e g  a Facebook App  lt  blockquote gt  x000D   lt  --  Use of Cookies  section of privacy policy -- gt  x000D   lt hr width  50   align  center  gt  x000D   lt h2 gt Cookies lt  h2 gt  x000D   lt p gt Cookies are a technology which can be used to provide you with tailored information from a Web site  A cookie is an element of data that a Web site can send to your browser  which may then store it on your system  You can set your browser to notify you when you receive a cookie  giving you the chance to decide whether to accept it  x000D   lt p gt Our site makes use of cookies  x000D  Cookies are used for the following purposes  x000D   lt ul gt  x000D   lt li gt Site administration x000D   lt li gt Completing the user s current activity x000D   lt li gt Research and development x000D   lt li gt Other x000D   Control Flow of the application  x000D   lt  ul gt  x000D   lt  --  Compact Policy Explanation  section of privacy policy -- gt  x000D   lt hr width  50   align  center  gt  x000D   lt h2 gt Compact Policy Summary lt  h2 gt  x000D   lt p gt The compact policy which corresponds to this policy is  x000D   lt pre gt  x000D      CP  ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV  x000D   lt  pre gt  x000D   lt p gt The following table explains the meaning of each field in the compact policy  x000D   lt center gt  lt table width  80   border  1  cols  2  gt  x000D   lt tr gt  lt td align  center  valign  top  width  20   gt  lt b gt Field lt  b gt  lt  td gt  lt td align  center  valign  top  width  80   gt  lt b gt Meaning lt  b gt  lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt CP  lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt This is the compact policy header  it indicates that what follows is a P3P compact policy  lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt ALL lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  Access to all collected information is available  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt DSP lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The policy contains at least one dispute-resolution mechanism  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt NID lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The information collected is not personally identifiable  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt CURa lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is used for completion of the current activity  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt ADMa lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is used for site administration  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt DEVa lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is used for research and development  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt HISa lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is used for historical archival purposes  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt OTPa lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is used for other purposes  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt OUR lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is given to ourselves and our agents  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt NOR lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  The data is not kept beyond the current transaction  x000D   lt  td gt  lt  tr gt  x000D   lt tr gt  lt td align  left  valign  top  width  20   gt  lt tt gt NAV lt  tt gt  lt  td gt  x000D   lt td align  left  valign  top  width  80   gt  x000D  Navigation and clickstream data is collected  x000D   lt  td gt  lt  tr gt  x000D   lt  table gt  lt  center gt  x000D   lt p gt The compact policy is sent by the Web server along with the cookies it describes  x000D  For more information  see the P3P deployment guide at  lt a href  http   www w3 org TR p3pdeployment  gt http   www w3 org TR p3pdeployment lt  a gt   x000D   lt  --  Policy Evaluation  section of privacy policy -- gt  x000D   lt hr width  50   align  center  gt  x000D   lt h2 gt Policy Evaluation lt  h2 gt  x000D   lt p gt Microsoft Internet Explorer 6 will evaluate this policy s compact policy whenever it is used with a cookie  x000D  The actions IE will take depend on what privacy level the user has selected in their browser  Low  Medium  Medium High  or High  the default is Medium  x000D  In addition  IE will examine whether the cookie s policy is considered satisfactory or unsatisfactory  whether the cookie is a session cookie or a persistent cookie  and whether the cookie is used in a first-party or third-party context  x000D  This section will attempt to evaluate this policy s compact policy against Microsoft s stated behavior for IE6  x000D   lt p gt  lt b gt Note  lt  b gt  this evaluation is currently experimental and should not be considered a substitute for testing with a real Web browser  x000D   lt p gt  lt b gt Satisfactory policy lt  b gt   this compact policy is considered  lt em gt satisfactory lt  em gt  according to the rules defined by Internet Explorer 6  x000D  IE6 will accept cookies accompanied by this policy under the High  Medium High  Medium  Low  and Accept All Cookies settings  x000D   lt  body gt  lt  html gt  x000D   x000D   x000D     Content of policy p3p    lt  xml version  1 0   gt   lt POLICIES xmlns  http   www w3 org 2002 01 P3Pv1  gt       lt  -- Generated by IBM P3P Policy Editor version Beta 1 12 built 2 27 04 1 19 PM -- gt        lt  -- Expiry information for this policy -- gt       lt EXPIRY max-age  86400   gt    lt POLICY     name  App      discuri  ABSOLUTE URL TO policy html      xml lang  de  gt       lt  -- Description of the entity making this policy statement  -- gt       lt ENTITY gt       lt DATA-GROUP gt   lt DATA ref   business name  gt COMPANY NAME lt  DATA gt   lt DATA ref   business contact-info online email  gt info YOURMAIL eu lt  DATA gt   lt DATA ref   business contact-info online uri  gt YOURWEBSITE lt  DATA gt   lt DATA ref   business contact-info telecom telephone number  gt YOURPHONENUMBER lt  DATA gt   lt DATA ref   business contact-info postal organization  gt FIRSTNAME LASTNAME lt  DATA gt   lt DATA ref   business contact-info postal street  gt STREET lt  DATA gt   lt DATA ref   business contact-info postal city  gt CITY lt  DATA gt   lt DATA ref   business contact-info postal stateprov  gt STAGE lt  DATA gt   lt DATA ref   business contact-info postal postalcode  gt POSTALCODE lt  DATA gt   lt DATA ref   business contact-info postal country  gt Germany lt  DATA gt       lt  DATA-GROUP gt       lt  ENTITY gt        lt  -- Disclosure -- gt       lt ACCESS gt  lt all  gt  lt  ACCESS gt         lt  -- Disputes -- gt       lt DISPUTES-GROUP gt           lt DISPUTES resolution-type  service  service  YOURWEBSITE CONTACT FORM  short-description  Dispute  gt               lt LONG-DESCRIPTION gt Contact us for further information lt  LONG-DESCRIPTION gt       lt  -- No remedies specified -- gt           lt  DISPUTES gt       lt  DISPUTES-GROUP gt        lt  -- Statement for group  App control data  -- gt       lt STATEMENT gt           lt EXTENSION optional  yes  gt               lt GROUP-INFO xmlns  http   www software ibm com P3P editor extension-1 0 html  name  App control data   gt           lt  EXTENSION gt        lt  -- Consequence -- gt       lt CONSEQUENCE gt  This cookie data is only used to control the application within an iframe  e g  a Facebook App  lt  CONSEQUENCE gt        lt  -- Data in this statement is marked as being non-identifiable -- gt       lt NON-IDENTIFIABLE  gt        lt  -- Use  purpose  -- gt       lt PURPOSE gt  lt admin  gt  lt current  gt  lt develop  gt  lt historical  gt  lt other-purpose gt Control Flow of the application lt  other-purpose gt  lt  PURPOSE gt        lt  -- Recipients -- gt       lt RECIPIENT gt  lt ours  gt  lt  RECIPIENT gt        lt  -- Retention -- gt       lt RETENTION gt  lt no-retention  gt  lt  RETENTION gt        lt  -- Base dataschema elements  -- gt       lt DATA-GROUP gt       lt DATA ref   dynamic cookies  gt  lt CATEGORIES gt  lt navigation  gt  lt  CATEGORIES gt  lt  DATA gt       lt  DATA-GROUP gt   lt  STATEMENT gt    lt  -- End of policy -- gt   lt  POLICY gt   lt  POLICIES gt

User · Answer

This is a great topic on the issue  however I found that one important detail  which was essential at least in my case  that was not posted here or anywhere else  I apologize if I just missed it  was that the P3P line must be passed in header of EVERY file sent from the 3rd party server  even files not setting or using the cookies such as Javascript files or images  Otherwise the cookies will be blocked  I have more on this in a post here  http   posheika net  p 110

User · Answer

Anyone having this problem in node js   Then add this p3p module  and enable this module at middleware   npm install p3p   I am using express so I add it in app js  First require that module in app js  var express   require  express    var app   express    var p3p   require  p3p      then use it as middleware  app use p3p p3p recommended      It will add p3p headers at res object  No need to do any extra things   You will get more info at   https   github com troygoode node-p3p

User · Answer

A better solution would be to make an Ajax call inside the iframe to the page that would get set cookies

User · Answer

I got it to work  but the solution is a bit complex  so bear with me   What s happening  As it is  Internet Explorer gives lower level of trust to IFRAME pages  IE calls this  third-party  content   If the page inside the IFRAME doesn t have a Privacy Policy  its cookies are blocked  which is indicated by the eye icon in status bar  when you click on it  it shows you a list of blocked URLs      source  piskvor org     In this case  when cookies are blocked  session identifier is not sent  and the target script throws a  session not found  error    I ve tried setting the session identifier into the form and loading it from POST variables  This would have worked  but for political reasons I couldn t do that    It is possible to make the page inside the IFRAME more trusted  if the inner page sends a P3P header with a privacy policy that is acceptable to IE  the cookies will be accepted    How to solve it  Create a p3p policy  A good starting point is the W3C tutorial  I ve gone through it  downloaded the IBM Privacy Policy Editor and there I created a representation of the privacy policy and gave it a name to reference it by  here it was policy1     NOTE  at this point  you actually need to find out if your site has a privacy policy  and if not  create it - whether it collects user data  what kind of data  what it does with it  who has access to it  etc  You need to find this information and think about it  Just slapping together a few tags will not cut it  This step cannot be done purely in software  and may be highly political  e g   should we sell our click statistics       e g   the site is operated by ACME Ltd   it uses anonymous per-session identifiers for its operation  collects user data only if explicitly permitted and only for the following purposes  the data is stored only as long as necessary  only our company has access to it  etc  etc        When editing with this tool  it s possible to view errors omissions in the policy  Also very useful is the tab  HTML Policy   at the bottom  it has a  Policy Evaluation  - a quick check if the policy will be blocked by IE s default settings   The Editor exports to a  p3p file  which is an XML representation of the above policy  Also  it can export a  compact version  of this policy   Link to the policy  Then a Policy Reference file  http   example com w3c p3p xml  was needed  an index of privacy policies the site uses     lt META gt     lt POLICY-REFERENCES gt       lt POLICY-REF about   w3c example-com p3p policy1  gt         lt INCLUDE gt   lt  INCLUDE gt         lt COOKIE-INCLUDE  gt       lt  POLICY-REF gt     lt  POLICY-REFERENCES gt   lt  META gt    The  lt INCLUDE gt  shows all URIs that will use this policy  in my case  the whole site   The policy file I ve exported from the Editor was uploaded to http   example com w3c example-com p3p   Send the compact header with responses  I ve set the webserver at example com to send the compact header with responses  like this   HTTP 1 1 200 OK  P3P  policyref   w3c p3p xml   CP  IDC DSP COR IVAi IVDi OUR TST         other headers and content   policyref is a relative URI to the Policy Reference file  which in turn references the privacy policies   CP is the compact policy representation  Note that the combination of P3P headers in the example may not be applicable on your specific website  your P3P headers MUST truthfully represent your own privacy policy   Profit   In this configuration  the Evil Eye does not appear  the cookies are saved even in the IFRAME  and the application works   Edit  What NOT to do  unless you like defending from lawsuits  Several people have suggested  just slap some tags into your P3P header  until the Evil Eye gives up    The tags are not only a bunch of bits  they have real world meanings  and their use gives you real world responsibilities    For example  pretending that you never collect user data might make the browser happy  but if you actually collect user data  the P3P is conflicting with reality  Plain and simple  you are purposefully lying to your users  and that might be criminal behavior in some countries  As in   go to jail  do not collect  200    A few examples  see p3pwriter for the full set of tags     NOI    Web Site does not collected identified data    as soon as there s any customization  a login  or any data collection        Analytics  anyone    you must acknowledge it in your P3P  STP  Information is retained to meet the stated purpose  This requires information to be discarded at the earliest time possible  Sites MUST have a retention policy that establishes a destruction time table  The retention policy MUST be included in or linked from the site s human-readable privacy policy    so if you send STP but don t have a retention policy  you may be committing fraud  How cool is that  Not at all     I m not a lawyer  but I m not willing to go to court to see if the P3P header is really legally binding or if you can promise your users anything without actually willing to honor your promises

User · Answer

This is buried in the comments of other answers  but I almost missed it  so it seems like it deserves its own answer   To review  in order for IE to accept 3rd party cookies  you need serve your files with an http header called p3p in the format   CP  my compact p3p policy    BUT  p3p is pretty much dead as a standard at this point and you can easily get IE to work without investing the time and legal resources in creating a real p3p policy   This is because if your compact p3p policy header is invalid  IE actually treats it as a good policy and accepts 3rd party cookies   So you can use a p3p header such as this  CP  This site does not have a p3p policy     You can optionally include a link to a page that explains why you don t have a p3p policy  as Google and Facebook do  they point here  https   support google com accounts answer 151657 and  here  https   www facebook com help 327993273962160     Finally  it s important to note that all files served from the 3rd party site need to have the p3p header  not just the one that sets the cookie  so you may not be able to just do this in your PHP  asp net  etc code   You are probably better off setting in up on the web server level  i e  in IIS or Apache

User · Answer

If anybody is looking for Apache line  we used this one       Header set P3P  CP   Thanks IE8      It really didn t matter what we set CP value to  as long as there is the P3P header

User · Answer

I was investigating this problem with regard to login-off via Azure Access Control Services  and wasn t able to connect head and tails of anything   Then  stumbled over this post https   blogs msdn microsoft com ieinternals 2011 03 10 beware-cookie-sharing-in-cross-zone-scenarios    In short  IE doesn t share cookies across zones  eg  Internet vs  Trusted sites    So  if your IFrame target and html page are in different zone s P3P won t help with anything

User · Answer

A better solution would be to make an Ajax call inside the iframe to the page that would get set cookies

User · Answer

For anyone trying to get the P3P Compact Policy working with static content  It is only possible if you are able to send custom server-side response headers with the static content  For a more detailed explanation see my answer here  Set P3P code in HTML

User · Answer

A better solution would be to make an Ajax call inside the iframe to the page that would get set cookies

User · Answer

I ve implemented a full P3P policy before but didn t want go through the hassle again for a new project I was working on  I found this link useful for a simple solution to the problem  only having to specify a minimal compact P3P policy of  CAO PSA OUR     http   blog sweetxml org 2007 10 minimal-p3p-compact-policy-suggestion html  The article quotes a  now broken  link to a Microsoft kb article  The policy did the trick for me

User · Answer

If you own the domain that needs to be embedded  then you could  before calling the page that includes the IFrame  redirect to that domain  which will create the cookie and redirect back  as explained here  http   www mendoweb be blog internet-explorer-safari-third-party-cookie-problem   This will work for Internet Explorer but for Safari as well  because Safari also blocks the third-party cookies

User · Answer

If you own the domain that needs to be embedded  then you could  before calling the page that includes the IFrame  redirect to that domain  which will create the cookie and redirect back  as explained here  http   www mendoweb be blog internet-explorer-safari-third-party-cookie-problem   This will work for Internet Explorer but for Safari as well  because Safari also blocks the third-party cookies

User · Answer

If anybody is looking for Apache line  we used this one       Header set P3P  CP   Thanks IE8      It really didn t matter what we set CP value to  as long as there is the P3P header

User · Answer

I ve implemented a full P3P policy before but didn t want go through the hassle again for a new project I was working on  I found this link useful for a simple solution to the problem  only having to specify a minimal compact P3P policy of  CAO PSA OUR     http   blog sweetxml org 2007 10 minimal-p3p-compact-policy-suggestion html  The article quotes a  now broken  link to a Microsoft kb article  The policy did the trick for me

User · Answer

I had this issue as well  thought I d post the code that I used in my MVC2 project  Be careful when in the page life cycle you add in the header or you ll get an HttpException  Server cannot append header after HTTP headers have been sent   I used a custom ActionFilterAttribute on the OnActionExecuting method  called before the action is executed         lt summary gt      Privacy Preferences Project  P3P  serve a compact policy  a  p3p  HTTP header  for all requests     P3P provides a standard way for Web sites to communicate about their practices around the collection       use  and distribution of personal information  It s a machine-readable privacy policy that can be      automatically fetched and viewed by users  and it can be tailored to fit your company s specific policies       lt  summary gt       lt remarks gt      More info http   www oreillynet com lpt a 1554      lt  remarks gt  public class P3PAttribute   ActionFilterAttribute            lt summary gt          On Action Executing add a compact policy  p3p  HTTP header          lt  summary gt           lt param name  filterContext  gt  lt  param gt      public override void OnActionExecuting ActionExecutingContext filterContext                HttpContext Current Response AddHeader  p3p   CP   IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT               base OnActionExecuting filterContext             Example use    P3P  public class HomeController   Controller       public ActionResult Index                 ViewData  Message      Welcome             return View               public ActionResult About                 return View

User · Answer

In Rails 3 2 I am using   class ApplicationController  lt  ActionController  Base      before filter  set p3p      private         for IE session cookies thru iframe       def set p3p         headers  P3P      CP  ALL DSP COR CURa ADMa DEVa OUR IND COM NAV         end   end     I got this from  http   dot-net-web-developer-bristol blogspot com 2012 04 setting-p3p-header-in-rails-session html

User · Answer

One possible thing to do is to add the domain to allowed sites in tools -  internet options -  privacy -  sites  somedomain com -  allow -  OK

User · Answer

I ve spend a large part of my day looking into this P3P thing and I feel the need to share what I ve found out   I ve noticed that the P3P concept is very outdated and seems only to be really used enforced by Internet Explorer  IE    The simplest explanation is  IE wants you to define a P3P header if you are using cookies   This is a nice idea  and luckily most of the time not providing this header won t cause any issues  read browser warnings   Unless your website web application is loaded into an other website using an  i Frame  This is where IE becomes a massive pain in the      It will not allow you to set a cookie unless the P3P header is set    Knowing this I wanted to find an answer to the following two questions    Who cares  In other words  can I be sued if I put the word  Potato  in the header  What do other companies do    My findings are    No one cares  I m unable to find a single document that suggests this technology has any legal weight  During my research I didn t find a single country around the world that has adopted a law that prevents you from putting the word  Potato  in the P3P header Both Google and Facebook put a link in their P3P header field referring to a page describing why they don t have a P3P header    The concept was born in 2002 and it baffles me that this outdated and legally unimplemented concept is still forced upon developers within IE  If this header doesn t have have any legal ramifications this header should be ignored  or alternatively  generate a warning or notification in the console   Not enforced  I m now forced to put a line in my code  and send a header to the client  that does absolutely nothing   In short - to keep IE happy - add the following line to your PHP code  Other languages should look similar   header  P3P  CP  Potato       Problem solved  and IE is happy with this potato

User · Answer

This is a great topic on the issue  however I found that one important detail  which was essential at least in my case  that was not posted here or anywhere else  I apologize if I just missed it  was that the P3P line must be passed in header of EVERY file sent from the 3rd party server  even files not setting or using the cookies such as Javascript files or images  Otherwise the cookies will be blocked  I have more on this in a post here  http   posheika net  p 110

User · Answer

You can also combine the p3p xml and policy xml files as such    home ubuntu sites shared w3c p3p xml   lt META xmlns  http   www w3 org 2002 01 P3Pv1  gt     lt POLICY-REFERENCES gt       lt POLICY-REF about   policy1  gt         lt INCLUDE gt   lt  INCLUDE gt         lt COOKIE-INCLUDE  gt       lt  POLICY-REF gt     lt  POLICY-REFERENCES gt     lt POLICIES gt       lt POLICY discuri    name  policy1  gt         lt ENTITY gt           lt DATA-GROUP gt             lt DATA ref   business name  gt  lt  DATA gt              lt DATA ref   business contact-info online email  gt  lt  DATA gt            lt  DATA-GROUP gt         lt  ENTITY gt         lt ACCESS gt           lt nonident  gt         lt  ACCESS gt         lt  -- if the site has a dispute resolution procedure that it follows  a DISPUTES-GROUP should be included here -- gt         lt STATEMENT gt           lt PURPOSE gt             lt current  gt             lt admin  gt             lt develop  gt           lt  PURPOSE gt           lt RECIPIENT gt             lt ours  gt           lt  RECIPIENT gt           lt RETENTION gt             lt indefinitely  gt           lt  RETENTION gt           lt DATA-GROUP gt             lt DATA ref   dynamic clickstream   gt             lt DATA ref   dynamic http   gt           lt  DATA-GROUP gt         lt  STATEMENT gt       lt  POLICY gt     lt  POLICIES gt   lt  META gt    I found the easiest way to add a header is proxy through Apache and use mod headers  as such    lt VirtualHost   80 gt    ServerName mydomain com    DocumentRoot  home ubuntu sites shared w3c     ProxyRequests off   ProxyPass  w3c      ProxyPass   http   127 0 0 1 8080    ProxyPassReverse   http   127 0 0 1 8080    ProxyPreserveHost on    Header add p3p  P3P policyref   w3c p3p xml   CP  NID DSP ALL COR    lt  VirtualHost gt    So we proxy all requests except those to  w3c p3p xml to our application server   You can test it all with the W3C validator

User · Answer

I was investigating this problem with regard to login-off via Azure Access Control Services  and wasn t able to connect head and tails of anything   Then  stumbled over this post https   blogs msdn microsoft com ieinternals 2011 03 10 beware-cookie-sharing-in-cross-zone-scenarios    In short  IE doesn t share cookies across zones  eg  Internet vs  Trusted sites    So  if your IFrame target and html page are in different zone s P3P won t help with anything

User · Answer

I ve spend a large part of my day looking into this P3P thing and I feel the need to share what I ve found out   I ve noticed that the P3P concept is very outdated and seems only to be really used enforced by Internet Explorer  IE    The simplest explanation is  IE wants you to define a P3P header if you are using cookies   This is a nice idea  and luckily most of the time not providing this header won t cause any issues  read browser warnings   Unless your website web application is loaded into an other website using an  i Frame  This is where IE becomes a massive pain in the      It will not allow you to set a cookie unless the P3P header is set    Knowing this I wanted to find an answer to the following two questions    Who cares  In other words  can I be sued if I put the word  Potato  in the header  What do other companies do    My findings are    No one cares  I m unable to find a single document that suggests this technology has any legal weight  During my research I didn t find a single country around the world that has adopted a law that prevents you from putting the word  Potato  in the P3P header Both Google and Facebook put a link in their P3P header field referring to a page describing why they don t have a P3P header    The concept was born in 2002 and it baffles me that this outdated and legally unimplemented concept is still forced upon developers within IE  If this header doesn t have have any legal ramifications this header should be ignored  or alternatively  generate a warning or notification in the console   Not enforced  I m now forced to put a line in my code  and send a header to the client  that does absolutely nothing   In short - to keep IE happy - add the following line to your PHP code  Other languages should look similar   header  P3P  CP  Potato       Problem solved  and IE is happy with this potato

User · Answer

For anyone trying to get the P3P Compact Policy working with static content  It is only possible if you are able to send custom server-side response headers with the static content  For a more detailed explanation see my answer here  Set P3P code in HTML

User · Answer

I got it to work  but the solution is a bit complex  so bear with me   What s happening  As it is  Internet Explorer gives lower level of trust to IFRAME pages  IE calls this  third-party  content   If the page inside the IFRAME doesn t have a Privacy Policy  its cookies are blocked  which is indicated by the eye icon in status bar  when you click on it  it shows you a list of blocked URLs      source  piskvor org     In this case  when cookies are blocked  session identifier is not sent  and the target script throws a  session not found  error    I ve tried setting the session identifier into the form and loading it from POST variables  This would have worked  but for political reasons I couldn t do that    It is possible to make the page inside the IFRAME more trusted  if the inner page sends a P3P header with a privacy policy that is acceptable to IE  the cookies will be accepted    How to solve it  Create a p3p policy  A good starting point is the W3C tutorial  I ve gone through it  downloaded the IBM Privacy Policy Editor and there I created a representation of the privacy policy and gave it a name to reference it by  here it was policy1     NOTE  at this point  you actually need to find out if your site has a privacy policy  and if not  create it - whether it collects user data  what kind of data  what it does with it  who has access to it  etc  You need to find this information and think about it  Just slapping together a few tags will not cut it  This step cannot be done purely in software  and may be highly political  e g   should we sell our click statistics       e g   the site is operated by ACME Ltd   it uses anonymous per-session identifiers for its operation  collects user data only if explicitly permitted and only for the following purposes  the data is stored only as long as necessary  only our company has access to it  etc  etc        When editing with this tool  it s possible to view errors omissions in the policy  Also very useful is the tab  HTML Policy   at the bottom  it has a  Policy Evaluation  - a quick check if the policy will be blocked by IE s default settings   The Editor exports to a  p3p file  which is an XML representation of the above policy  Also  it can export a  compact version  of this policy   Link to the policy  Then a Policy Reference file  http   example com w3c p3p xml  was needed  an index of privacy policies the site uses     lt META gt     lt POLICY-REFERENCES gt       lt POLICY-REF about   w3c example-com p3p policy1  gt         lt INCLUDE gt   lt  INCLUDE gt         lt COOKIE-INCLUDE  gt       lt  POLICY-REF gt     lt  POLICY-REFERENCES gt   lt  META gt    The  lt INCLUDE gt  shows all URIs that will use this policy  in my case  the whole site   The policy file I ve exported from the Editor was uploaded to http   example com w3c example-com p3p   Send the compact header with responses  I ve set the webserver at example com to send the compact header with responses  like this   HTTP 1 1 200 OK  P3P  policyref   w3c p3p xml   CP  IDC DSP COR IVAi IVDi OUR TST         other headers and content   policyref is a relative URI to the Policy Reference file  which in turn references the privacy policies   CP is the compact policy representation  Note that the combination of P3P headers in the example may not be applicable on your specific website  your P3P headers MUST truthfully represent your own privacy policy   Profit   In this configuration  the Evil Eye does not appear  the cookies are saved even in the IFRAME  and the application works   Edit  What NOT to do  unless you like defending from lawsuits  Several people have suggested  just slap some tags into your P3P header  until the Evil Eye gives up    The tags are not only a bunch of bits  they have real world meanings  and their use gives you real world responsibilities    For example  pretending that you never collect user data might make the browser happy  but if you actually collect user data  the P3P is conflicting with reality  Plain and simple  you are purposefully lying to your users  and that might be criminal behavior in some countries  As in   go to jail  do not collect  200    A few examples  see p3pwriter for the full set of tags     NOI    Web Site does not collected identified data    as soon as there s any customization  a login  or any data collection        Analytics  anyone    you must acknowledge it in your P3P  STP  Information is retained to meet the stated purpose  This requires information to be discarded at the earliest time possible  Sites MUST have a retention policy that establishes a destruction time table  The retention policy MUST be included in or linked from the site s human-readable privacy policy    so if you send STP but don t have a retention policy  you may be committing fraud  How cool is that  Not at all     I m not a lawyer  but I m not willing to go to court to see if the P3P header is really legally binding or if you can promise your users anything without actually willing to honor your promises

User · Answer

I know it s a bit late to put my contribution on this subject but I lost so many hours that maybe this answer will help somebody   I was trying to call a third party cookie on my site and of course it was not working on Internet Explorer 10  even at a low security level    don t ask me why  In the iframe I was calling a read cookie php  echo   COOKIE  with ajax   And I don t know why I was incapable of setting the P3P policy to solve the problem     During my search I saw something about getting the cookie in JSON working  I don t even try because I thought that if the cookie won t pass through an iframe  it will not pass any more through an array     Guess what  it does  So if you json encode your cookie then decode after your ajax request  you ll get it   Maybe there is something I missed and if I did  all my apologies  but i never saw something so stupid  Block third party cookies for security  why not  but let it pass if encoded  Where is the security now   I hope this post will help somebody and again  if I missed something and I m dumb  please educate me

User · Answer

In Rails 3 2 I am using   class ApplicationController  lt  ActionController  Base      before filter  set p3p      private         for IE session cookies thru iframe       def set p3p         headers  P3P      CP  ALL DSP COR CURa ADMa DEVa OUR IND COM NAV         end   end     I got this from  http   dot-net-web-developer-bristol blogspot com 2012 04 setting-p3p-header-in-rails-session html

[internet-explorer] Cookie blocked/not saved in IFRAME in Internet Explorer

Examples related to internet-explorer

Examples related to cookies

Examples related to privacy

Examples related to p3p