zoloft pills

Enabling cross-domain (third-party) cookies

I recently created a page that contains a tabbed container. In each tab, there is a different iframe that hosts a map from a third-party domain. The iframes need to rely on cookie to communicate so that they can pass address information.

The problem is that IE 6 does not seem to have cookies enabled for those iframes. And of course, this issue does not only apply to maps, but also online ads that rely on iframes.

The cause to the issue turns out to be a security restriction in IE 6. This is one of the few places where IE 6 is more secure than other popular web browsers. IE 6 does not allow third-party cookies to be downloaded. And so if you are on a page that includes resources from another domain and cookies are generated from those resources, these cookies are known as third-party cookies.

The solution is to add an extra HTTP header. When IE 6 sees the Platform for Privacy Preferences Project (P3P) header in the resource that creates cookies, it will allow those yummy cookies to be downloaded.

The code to add the header to a specific resource can be written in various languages. Note that they should be written before the code that is responsible for the view.

P3P HTTPheader in ASP.NET

1
HttpContext.Current.Response.AddHeader("p3p",  "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND  CNT\"");

P3P HTTP header in PHP

1
header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

P3P HTTP header in JSP

1
response.setHeader("P3P","CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'")

P3P HTTP header in ColdFusion

1
<cfheader name="P3P" value="CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'" />

A site-wide approach on an Apache server can be set in a .htaccess or the httpd.conf:

1
Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC  DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""

To verify the correct implementation of HTTP header, you can use Firebug:

Using Firebug to see HTTP headers
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>