Add P3P headers for generated Iframes
-------------------------------------
Key: SHINDIG-161
URL: https://issues.apache.org/jira/browse/SHINDIG-161
Project: Shindig
Issue Type: Improvement
Reporter: Paul Lindner
iGoogle adds a P3P header
CP="CAO PSA OUR"
This apparently exists to deal with this issue:
http://support.microsoft.com/kb/323752
SYMPTOMS
If you implement a FRAMESET whose FRAMEs point to other Web sites on the
networks of your partners or inside your network, but you use different
top-level domain names, you may notice in Internet Explorer 6 that any cookies
you try to set in those FRAMEs appear to be lost. This is most frequently
experienced as a loss of session state in an Active Server Pages (ASP) or
ASP.NET Web application. You try to access a variable in the Session object
that you expect to exist, and a blank string is returned instead.
You also see this problem in a FRAMEs context if your Web pages alternate
between the use of Domain Name System (DNS) names and the use of Internet
Protocol (IP) addresses.
CAUSE
Internet Explorer 6 introduced support for the Platform for Privacy Preferences
(P3P) Project. The P3P standard notes that if a FRAMESET or a parent window
references another site inside a FRAME or inside a child window, the child site
is considered third party content. Internet Explorer, which uses the default
privacy setting of Medium, silently rejects cookies sent from third party sites.
RESOLUTION
You can add a P3P compact policy header to your child content, and you can
declare that no malicious actions are performed with the data of the user. If
Internet Explorer detects a satisfactory policy, then Internet Explorer permits
the cookie to be set.
A simple compact policy that fulfills this criteria follows:
P3P: CP="CAO PSA OUR"
-----
question -- is it valid to insert this?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
