All geek questions in one place

Unable to set cookies in IFRAME in IE, even with P3P header

I saw a lot of posts on how to make cookies work inside an iframe in IE, and I tried several solutions, but still no luck. Here is what I mean:

  • I have an iframe that is created via Javascript on the client site (widget.) I have no control over the client site. I need to set cookies so that the user logs into the iframe and works in Chrome and Firefox, but not in IE 7/8. I have not tested IE 6, but I assume it has the same problem.

  • I created the P3P policy using the IBM policy editor, and the editor said that compact policy is acceptable as part of IE security, whether it is set to Low, Medium or High. The CP that I use is:

P3P: policyref="/w3c/p3p.xml" CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa CONi TELi OUR IND PHY ONL UNI COM NAV INT DEM CNT PRE" (I tried several other CPs that people say work, but did not see any difference in the result.)

  • A web server (NGINX) serves this P3P header with each file. I do not serve it from code.

  • The p3p.xml file exists and conforms to the CD policy. P3p.xml verifies the use of the W3C P3P validator.

  • Even with the P3P header (no matter what I tried), IE gives me a "jinx" in the status bar below and will not let me set cookies. They appear as blocked in the privacy report.

  • I read a Piskvor post about SO on this topic: Cookie is blocked / not saved in IFRAME in Internet Explorer , but I could not reproduce what it was able to do on my demo site: http://newmoon.wz.cz/test/ page.php? send_p3p = 1 . I suppose this is because I get the evil eye, but he does not. I did everything I read about as a recommendation to get rid of evil yet, but it persists. Taunting me.

  • My test page is here if you want to try: http://truelike.com/js/bobs/frametest.php The readable pages work fine if they are viewed outside the iframe, but they don’t work at all when using IE.

  • For reference, I use PHP on the server.

Any help at all will be appreciated - here we desperately need it.

Thanks!

+6
source share
2 answers

So, I decided it myself. It looks like the problem is with NGINX HTTPUserIDModule (http://wiki.nginx.org/HttpUserIdModule). I used this to send the P3P header, but nginx did not send the header sequentially , possibly due to this line in its documentation:

The directive assigns a value to the P3P header that will be sent along with the cookie.

I saw how the headers were pounded when checking with a curled or trot, but not when I checked with Firebug or Charles. Perhaps there is a configuration option to fix this, but I could not find it.

In any case , if you pull the OUT header directive from the HTTPUserIdModule and just send the header manually by code, it works . This will probably work if you manually send the header using the HTTPHeadersModule http://wiki.nginx.org/HttpHeadersModule , but I have not tested this yet.

As soon as it worked through the code, I saw that I did not need a header for all the files - having it only in the file settings / receiving cookies was enough, contrary to many tips that I saw.

In addition, my CP was clearly too aggressive, despite the fact that the IBM policy editor said that everything is in order. I used a more basic CP and it worked.

+4
source

Changes with nginx 0.8.20
Bugfix: the header lines of the response "Set-Cookie" and "P3P" FastCGI were not hidden during caching, if there were no instructions "fastcgi_hide_header" is used with any parameters.

Nginx Change Log

0
source

Source: https://habr.com/ru/post/888592/

More articles:


All Articles