tags:

views:

1000

answers:

1
+2  Q: 

P3P Policy not working to allow 3rd party cookies in IE

Hi all,

Thanks in advance for helping a first-time poster. I've been banging my head on the wall all day...

I have a site that must be able to function and set cookies while running inside a frame. In IE, with default security settings, this is a problem, because a framed site's cookies are treated as third party. Now, I've read all the info on P3P, and I've created a compact privacy policy, served via HTTP header, an XML policy file, and an XML reference file. I have checked, and the header is being sent properly, and IE can read the policy file.

However, it is STILL blocking cookies from the site. I've created a stripped-down example here: http://www.hankshelper.com/privtest.php Note that cookies in the framed site are being blocked by IE (6, 7, and 8).

If anyone could check out my compact policy

Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR NID DEVi OUR BUS INT\""

and/or XML policy http://www.searchtempest.com/w3c/searchtempest.xml

and let me know wtf, I would be eternally grateful. I've stripped them down as much as possible, and I just can't see anything that IE would have a problem with. (And of course IE itself is wonderfully verbose as far as exactly WHY it's blocking cookies...) I'm happy to provide any additional information you need.

A: 

The policy checker at http://www.webentrust.com/p3p.html says Error: No P3P Policy Found

You are saying, in the p3p header, this: 

P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR NID DEVi OUR BUS INT"

meaning "I have this compact policy (CP), and also this full policy: /w3c/p3p.xml". BUT, http://www.hankshelper.com/w3c/p3p.xml (referenced above) gives a 404 Not Found error. You have to create your p3p policy - e.g. using the IBM P3P Editor and upload it to the path you specified.

Piskvor  2009-11-10 11:43:43
The header and policy file need to be set for the third party (ie the framed site), not the parent site. You can find the policy reference file at http://www.searchtempest.com/w3c/p3p.xml and the policy file at http://www.searchtempest.com/w3c/searchtempest.xml
Nathan  2009-11-10 22:14:20
When I visit the policy checker you mentioned (http://www.webentrust.com/p3p.html) and give it the url of my privacy policy (http://hh.searchtempest.com/w3c/searchtempest.xml) it seems to work fine. Also, thanks for the IBM link - I did use that tool to generate the policy originally.
Nathan  2009-11-10 22:22:02
Ah, silly me. You are right, the P3P policy has to be set for the site inside the `IFRAME`.
Piskvor  2009-11-11 08:57:01

related questions

Prevent Use of the Back Button (in IE)
How to stop IIS asking authentication for default website on localhost
Why do I cannot jQuery my page under Internet Explorer
How To Write a Plug-In for IE
Firefox vs. IE: innerHTML handling
Detect DOM modification in Internet Explorer
Good reasons for not letting the browser launch local applications
Printing DOM Changes
IE6 security login (debugging via VirtualPC)
What is your best tool or techniques for getting the same display on IE6/7 and Firefox?
IE 7+ Favorites
IE Securty Zone Issues
JavaScript Profiler in IE
IE6 - can't load a normal JPG
Opening Explorer shell with admin priveleges on XP (with IE7 installed)
Should we support IE6 anymore?
How do I add a pre tag inside a code tag with jQuery?
How can I get Unicode characters to display properly for the tooltip for the IMG ALT in IE7?
Weird event behavior in IE7
Firebug for IE
Debugging Javascript in Internet Explorer and Safari
IE6: To support or not to support.
Tabbed file browsing in Windows
Debugging: IE6 + SSL + AJAX + post form = 404 error
Javascript troubleshooting tools in IE