You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "Kevin Brown (JIRA)" <ji...@apache.org> on 2008/03/29 20:21:24 UTC

[jira] Commented: (SHINDIG-161) Add P3P headers for generated Iframes

    [ https://issues.apache.org/jira/browse/SHINDIG-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12583355#action_12583355 ] 

Kevin Brown commented on SHINDIG-161:
-------------------------------------

I wrote a filter to do this at Orkut's request as well -- I think if we drop this in, it needs to be configurable. Setting 3rd party cookies might not be desirable for all containers.

> Add P3P headers for generated Iframes
> -------------------------------------
>
>                 Key: SHINDIG-161
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-161
>             Project: Shindig
>          Issue Type: Improvement
>            Reporter: Paul Lindner
>
> iGoogle adds a P3P header 
>   CP="CAO PSA OUR"
> This apparently exists to deal with this issue:
> http://support.microsoft.com/kb/323752
> SYMPTOMS
> If you implement a FRAMESET whose FRAMEs point to other Web sites on the networks of your partners or inside your network, but you use different top-level domain names, you may notice in Internet Explorer 6 that any cookies you try to set in those FRAMEs appear to be lost. This is most frequently experienced as a loss of session state in an Active Server Pages (ASP) or ASP.NET Web application. You try to access a variable in the Session object that you expect to exist, and a blank string is returned instead.
> You also see this problem in a FRAMEs context if your Web pages alternate between the use of Domain Name System (DNS) names and the use of Internet Protocol (IP) addresses.
> CAUSE
> Internet Explorer 6 introduced support for the Platform for Privacy Preferences (P3P) Project. The P3P standard notes that if a FRAMESET or a parent window references another site inside a FRAME or inside a child window, the child site is considered third party content. Internet Explorer, which uses the default privacy setting of Medium, silently rejects cookies sent from third party sites.
> RESOLUTION
> You can add a P3P compact policy header to your child content, and you can declare that no malicious actions are performed with the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.
> A simple compact policy that fulfills this criteria follows:
> P3P: CP="CAO PSA OUR"
> -----
> question -- is it valid to insert this?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.