❧︎ Attaboy Media

Musings on assorted geekery by Luke Andrews when he’s not writing at attaboy.ca or on Twitter.
29 October 2009

On Internet Explorer 7, cookies, iframes and privacy settings

With Dabble DB, one of the recommend techniques that people use is to embed database pages into their websites using an iframe tag. This presented a weird problem, however, when combined with access control: on Internet Explorer 7, logging in to such pages didn’t work. Instead, people would simply be redirected to the login page.

Initially I was unable to reproduce the problem, but then I noticed that my Privacy options were set to “allow all cookies”, which is not the default setting. The default, aka “Medium” privacy, triggered the problem. So: IE7 doesn’t allow cookies to be set by webpages in an iframe. As the Brits like to say, oh pants.

After some googling, I found this comment on the Facebook developers’ forum which outlined the solution: create a “P3P” policy and include a compact version of it in an HTTP header. What’s P3P, you ask? Turns out it’s an ignored standard for communicating data privacy intentions that only Microsoft ever bothered to implement. They’ve since abandoned it for IE8. At its default settings, IE7 doesn’t trust iframe pages to set cookies unless they announce their intentions with the P3P header.

So I diligently downloaded this P3P policy program, created a policy, and then added the compact policy in a header in our Apache configuration:

BrowserMatch MSIE IS_MSIE
Header set P3P "policyref=\"http://dabbledb.com/legal/p3p.xml\", CP=\"NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT\"" env=IS_MSIE

Note that you need mod_headers enabled in Apache to use the Header command. The XML file referenced in the header is optional as far as I can tell, but I thought I’d include it for good measure.

For what it’s worth, Facebook themselves seemed to settle on a somewhat simpler approach. They added only CP=HONK to the P3P header. What’s HONK mean? Who knows. I suspect it’s Facebook’s cheeky way of saying they don’t respect this whole P3P business. But it works anyway. Yep, that’s some tight security there, Microsoft.

blog comments powered by Disqus