With Dabble DB, one of the recommend techniques that people use is to embed database pages into their websites using an
iframe tag. This presented a weird problem, however, when combined with access control: on Internet Explorer 7, logging in to such pages didn’t work. Instead, people would simply be redirected to the login page.
Initially I was unable to reproduce the problem, but then I noticed that my Privacy options were set to “allow all cookies”, which is not the default setting. The default, aka “Medium” privacy, triggered the problem. So: IE7 doesn’t allow cookies to be set by webpages in an iframe. As the Brits like to say, oh pants.
After some googling, I found this comment on the Facebook developers’ forum which outlined the solution: create a “P3P” policy and include a compact version of it in an HTTP header. What’s P3P, you ask? Turns out it’s an ignored standard for communicating data privacy intentions that only Microsoft ever bothered to implement. They’ve since abandoned it for IE8. At its default settings, IE7 doesn’t trust iframe pages to set cookies unless they announce their intentions with the P3P header.
So I diligently downloaded this P3P policy program, created a policy, and then added the compact policy in a header in our Apache configuration:
BrowserMatch MSIE IS_MSIE Header set P3P "policyref=\"http://dabbledb.com/legal/p3p.xml\", CP=\"NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT\"" env=IS_MSIE
Note that you need
mod_headers enabled in Apache to use the Header command. The XML file referenced in the header is optional as far as I can tell, but I thought I’d include it for good measure.
For what it’s worth, Facebook themselves seemed to settle on a somewhat simpler approach. They added only
CP=HONK to the P3P header. What’s HONK mean? Who knows. I suspect it’s Facebook’s cheeky way of saying they don’t respect this whole P3P business. But it works anyway. Yep, that’s some tight security there, Microsoft.