[jira] Commented: (SHINDIG-161) Add P3P headers for generated Iframes

Sat, 29 Mar 2008 12:23:54 -0700 

    [ 
https://issues.apache.org/jira/browse/SHINDIG-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12583355#action_12583355
 ] 

Kevin Brown commented on SHINDIG-161:
-------------------------------------

I wrote a filter to do this at Orkut's request as well -- I think if we drop 
this in, it needs to be configurable. Setting 3rd party cookies might not be 
desirable for all containers.

> Add P3P headers for generated Iframes
> -------------------------------------
>
>                 Key: SHINDIG-161
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-161
>             Project: Shindig
>          Issue Type: Improvement
>            Reporter: Paul Lindner
>
> iGoogle adds a P3P header 
>   CP="CAO PSA OUR"
> This apparently exists to deal with this issue:
> http://support.microsoft.com/kb/323752
> SYMPTOMS
> If you implement a FRAMESET whose FRAMEs point to other Web sites on the 
> networks of your partners or inside your network, but you use different 
> top-level domain names, you may notice in Internet Explorer 6 that any 
> cookies you try to set in those FRAMEs appear to be lost. This is most 
> frequently experienced as a loss of session state in an Active Server Pages 
> (ASP) or ASP.NET Web application. You try to access a variable in the Session 
> object that you expect to exist, and a blank string is returned instead.
> You also see this problem in a FRAMEs context if your Web pages alternate 
> between the use of Domain Name System (DNS) names and the use of Internet 
> Protocol (IP) addresses.
> CAUSE
> Internet Explorer 6 introduced support for the Platform for Privacy 
> Preferences (P3P) Project. The P3P standard notes that if a FRAMESET or a 
> parent window references another site inside a FRAME or inside a child 
> window, the child site is considered third party content. Internet Explorer, 
> which uses the default privacy setting of Medium, silently rejects cookies 
> sent from third party sites.
> RESOLUTION
> You can add a P3P compact policy header to your child content, and you can 
> declare that no malicious actions are performed with the data of the user. If 
> Internet Explorer detects a satisfactory policy, then Internet Explorer 
> permits the cookie to be set.
> A simple compact policy that fulfills this criteria follows:
> P3P: CP="CAO PSA OUR"
> -----
> question -- is it valid to insert this?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to