can p3p be used to allow access to iframe dom in IE?

views:

158

answers:

can p3p be used to allow access to iframe dom in IE?

When creating iFrame dynamically (javascript) on IE and trying to access its document, access denied error is issued (because its source is not on the same domain as the containing html).

I think I read somewhere that 3p3 header can lower this restriction (usually it is used for 3rd party cookies). Can anyone explain how to do it for dynamically created iframe (or point me to this data)?

+2 A:

No. P3P has no relation to the JavaScript Same-Original Policy, which cannot be circumvented short of a security hole in the browser or the remote site.

You may have to proxy the iframe content through your own site, if that's possible.

bobince 2009-09-29 17:26:53

Thanks, What are the best practices for the proxying? I need it to be very efficient (can't have open sockets for each page view) this is for a service that runs millions of hits a day.

Nir 2009-09-29 17:34:42

Usually you'd have a server-side script on your server that makes an HTTP request to the the third-party server and spits it back out either as a separate document in an iframe or as part of the main document itself. Either way you are accepting third-party content into your security context so you have to trust it or sanitise it to ensure any scripting doesn't mess up your own site. You should also cache the response from the third-party server as much as possible to decrease the traffic from your server (which may be taken as abuse if it's too high) and speed up responsiveness for the user.

bobince 2009-09-29 18:04:53

ansaurus

tags:

views:

answers:

can p3p be used to allow access to iframe dom in IE?

related questions