You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "Paul Lindner (JIRA)" <ji...@apache.org> on 2008/03/29 11:32:24 UTC
[jira] Created: (SHINDIG-161) Add P3P headers for generated Iframes
Add P3P headers for generated Iframes
-------------------------------------
Key: SHINDIG-161
URL: https://issues.apache.org/jira/browse/SHINDIG-161
Project: Shindig
Issue Type: Improvement
Reporter: Paul Lindner
iGoogle adds a P3P header
CP="CAO PSA OUR"
This apparently exists to deal with this issue:
http://support.microsoft.com/kb/323752
SYMPTOMS
If you implement a FRAMESET whose FRAMEs point to other Web sites on the networks of your partners or inside your network, but you use different top-level domain names, you may notice in Internet Explorer 6 that any cookies you try to set in those FRAMEs appear to be lost. This is most frequently experienced as a loss of session state in an Active Server Pages (ASP) or ASP.NET Web application. You try to access a variable in the Session object that you expect to exist, and a blank string is returned instead.
You also see this problem in a FRAMEs context if your Web pages alternate between the use of Domain Name System (DNS) names and the use of Internet Protocol (IP) addresses.
CAUSE
Internet Explorer 6 introduced support for the Platform for Privacy Preferences (P3P) Project. The P3P standard notes that if a FRAMESET or a parent window references another site inside a FRAME or inside a child window, the child site is considered third party content. Internet Explorer, which uses the default privacy setting of Medium, silently rejects cookies sent from third party sites.
RESOLUTION
You can add a P3P compact policy header to your child content, and you can declare that no malicious actions are performed with the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.
A simple compact policy that fulfills this criteria follows:
P3P: CP="CAO PSA OUR"
-----
question -- is it valid to insert this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-161) Add P3P headers for generated Iframes
Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Brown updated SHINDIG-161:
--------------------------------
Component/s: Gadgets Server - PHP
Gadgets Server - Java
> Add P3P headers for generated Iframes
> -------------------------------------
>
> Key: SHINDIG-161
> URL: https://issues.apache.org/jira/browse/SHINDIG-161
> Project: Shindig
> Issue Type: Improvement
> Components: Gadgets Server - Java, Gadgets Server - PHP
> Reporter: Paul Lindner
>
> iGoogle adds a P3P header
> CP="CAO PSA OUR"
> This apparently exists to deal with this issue:
> http://support.microsoft.com/kb/323752
> SYMPTOMS
> If you implement a FRAMESET whose FRAMEs point to other Web sites on the networks of your partners or inside your network, but you use different top-level domain names, you may notice in Internet Explorer 6 that any cookies you try to set in those FRAMEs appear to be lost. This is most frequently experienced as a loss of session state in an Active Server Pages (ASP) or ASP.NET Web application. You try to access a variable in the Session object that you expect to exist, and a blank string is returned instead.
> You also see this problem in a FRAMEs context if your Web pages alternate between the use of Domain Name System (DNS) names and the use of Internet Protocol (IP) addresses.
> CAUSE
> Internet Explorer 6 introduced support for the Platform for Privacy Preferences (P3P) Project. The P3P standard notes that if a FRAMESET or a parent window references another site inside a FRAME or inside a child window, the child site is considered third party content. Internet Explorer, which uses the default privacy setting of Medium, silently rejects cookies sent from third party sites.
> RESOLUTION
> You can add a P3P compact policy header to your child content, and you can declare that no malicious actions are performed with the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.
> A simple compact policy that fulfills this criteria follows:
> P3P: CP="CAO PSA OUR"
> -----
> question -- is it valid to insert this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SHINDIG-161) Add P3P headers for generated
Iframes
Posted by "Chris Chabot (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Chabot resolved SHINDIG-161.
----------------------------------
Resolution: Fixed
Assignee: Chris Chabot
fixed in svn
> Add P3P headers for generated Iframes
> -------------------------------------
>
> Key: SHINDIG-161
> URL: https://issues.apache.org/jira/browse/SHINDIG-161
> Project: Shindig
> Issue Type: Improvement
> Components: Gadget Rendering Server (Java), Gadget Rendering Server (PHP)
> Reporter: Paul Lindner
> Assignee: Chris Chabot
>
> iGoogle adds a P3P header
> CP="CAO PSA OUR"
> This apparently exists to deal with this issue:
> http://support.microsoft.com/kb/323752
> SYMPTOMS
> If you implement a FRAMESET whose FRAMEs point to other Web sites on the networks of your partners or inside your network, but you use different top-level domain names, you may notice in Internet Explorer 6 that any cookies you try to set in those FRAMEs appear to be lost. This is most frequently experienced as a loss of session state in an Active Server Pages (ASP) or ASP.NET Web application. You try to access a variable in the Session object that you expect to exist, and a blank string is returned instead.
> You also see this problem in a FRAMEs context if your Web pages alternate between the use of Domain Name System (DNS) names and the use of Internet Protocol (IP) addresses.
> CAUSE
> Internet Explorer 6 introduced support for the Platform for Privacy Preferences (P3P) Project. The P3P standard notes that if a FRAMESET or a parent window references another site inside a FRAME or inside a child window, the child site is considered third party content. Internet Explorer, which uses the default privacy setting of Medium, silently rejects cookies sent from third party sites.
> RESOLUTION
> You can add a P3P compact policy header to your child content, and you can declare that no malicious actions are performed with the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.
> A simple compact policy that fulfills this criteria follows:
> P3P: CP="CAO PSA OUR"
> -----
> question -- is it valid to insert this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-161) Add P3P headers for generated
Iframes
Posted by "Alex Epshteyn (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12583871#action_12583871 ]
Alex Epshteyn commented on SHINDIG-161:
---------------------------------------
Will this work in Safari? Safari is very hard on cookies set from iframes.
> Add P3P headers for generated Iframes
> -------------------------------------
>
> Key: SHINDIG-161
> URL: https://issues.apache.org/jira/browse/SHINDIG-161
> Project: Shindig
> Issue Type: Improvement
> Components: Gadgets Server - Java, Gadgets Server - PHP
> Reporter: Paul Lindner
>
> iGoogle adds a P3P header
> CP="CAO PSA OUR"
> This apparently exists to deal with this issue:
> http://support.microsoft.com/kb/323752
> SYMPTOMS
> If you implement a FRAMESET whose FRAMEs point to other Web sites on the networks of your partners or inside your network, but you use different top-level domain names, you may notice in Internet Explorer 6 that any cookies you try to set in those FRAMEs appear to be lost. This is most frequently experienced as a loss of session state in an Active Server Pages (ASP) or ASP.NET Web application. You try to access a variable in the Session object that you expect to exist, and a blank string is returned instead.
> You also see this problem in a FRAMEs context if your Web pages alternate between the use of Domain Name System (DNS) names and the use of Internet Protocol (IP) addresses.
> CAUSE
> Internet Explorer 6 introduced support for the Platform for Privacy Preferences (P3P) Project. The P3P standard notes that if a FRAMESET or a parent window references another site inside a FRAME or inside a child window, the child site is considered third party content. Internet Explorer, which uses the default privacy setting of Medium, silently rejects cookies sent from third party sites.
> RESOLUTION
> You can add a P3P compact policy header to your child content, and you can declare that no malicious actions are performed with the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.
> A simple compact policy that fulfills this criteria follows:
> P3P: CP="CAO PSA OUR"
> -----
> question -- is it valid to insert this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-161) Add P3P headers for generated
Iframes
Posted by "Chris Chabot (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12587593#action_12587593 ]
Chris Chabot commented on SHINDIG-161:
--------------------------------------
Added a P3P configuration value to config.php, and added the header to the gadget renderer. If the value is empty it's ignored, else it sends the configured header (with the default config value being CP="CAO PSA OUR" ).
Should find it's way into the repo in the next few days.
> Add P3P headers for generated Iframes
> -------------------------------------
>
> Key: SHINDIG-161
> URL: https://issues.apache.org/jira/browse/SHINDIG-161
> Project: Shindig
> Issue Type: Improvement
> Components: Gadgets Server - Java, Gadgets Server - PHP
> Reporter: Paul Lindner
>
> iGoogle adds a P3P header
> CP="CAO PSA OUR"
> This apparently exists to deal with this issue:
> http://support.microsoft.com/kb/323752
> SYMPTOMS
> If you implement a FRAMESET whose FRAMEs point to other Web sites on the networks of your partners or inside your network, but you use different top-level domain names, you may notice in Internet Explorer 6 that any cookies you try to set in those FRAMEs appear to be lost. This is most frequently experienced as a loss of session state in an Active Server Pages (ASP) or ASP.NET Web application. You try to access a variable in the Session object that you expect to exist, and a blank string is returned instead.
> You also see this problem in a FRAMEs context if your Web pages alternate between the use of Domain Name System (DNS) names and the use of Internet Protocol (IP) addresses.
> CAUSE
> Internet Explorer 6 introduced support for the Platform for Privacy Preferences (P3P) Project. The P3P standard notes that if a FRAMESET or a parent window references another site inside a FRAME or inside a child window, the child site is considered third party content. Internet Explorer, which uses the default privacy setting of Medium, silently rejects cookies sent from third party sites.
> RESOLUTION
> You can add a P3P compact policy header to your child content, and you can declare that no malicious actions are performed with the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.
> A simple compact policy that fulfills this criteria follows:
> P3P: CP="CAO PSA OUR"
> -----
> question -- is it valid to insert this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-161) Add P3P headers for generated
Iframes
Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12583355#action_12583355 ]
Kevin Brown commented on SHINDIG-161:
-------------------------------------
I wrote a filter to do this at Orkut's request as well -- I think if we drop this in, it needs to be configurable. Setting 3rd party cookies might not be desirable for all containers.
> Add P3P headers for generated Iframes
> -------------------------------------
>
> Key: SHINDIG-161
> URL: https://issues.apache.org/jira/browse/SHINDIG-161
> Project: Shindig
> Issue Type: Improvement
> Reporter: Paul Lindner
>
> iGoogle adds a P3P header
> CP="CAO PSA OUR"
> This apparently exists to deal with this issue:
> http://support.microsoft.com/kb/323752
> SYMPTOMS
> If you implement a FRAMESET whose FRAMEs point to other Web sites on the networks of your partners or inside your network, but you use different top-level domain names, you may notice in Internet Explorer 6 that any cookies you try to set in those FRAMEs appear to be lost. This is most frequently experienced as a loss of session state in an Active Server Pages (ASP) or ASP.NET Web application. You try to access a variable in the Session object that you expect to exist, and a blank string is returned instead.
> You also see this problem in a FRAMEs context if your Web pages alternate between the use of Domain Name System (DNS) names and the use of Internet Protocol (IP) addresses.
> CAUSE
> Internet Explorer 6 introduced support for the Platform for Privacy Preferences (P3P) Project. The P3P standard notes that if a FRAMESET or a parent window references another site inside a FRAME or inside a child window, the child site is considered third party content. Internet Explorer, which uses the default privacy setting of Medium, silently rejects cookies sent from third party sites.
> RESOLUTION
> You can add a P3P compact policy header to your child content, and you can declare that no malicious actions are performed with the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.
> A simple compact policy that fulfills this criteria follows:
> P3P: CP="CAO PSA OUR"
> -----
> question -- is it valid to insert this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.