A summary of the cookie problem solving method for IFrame in IE (GO)

Recently in doing a traffic statistics of things, accidentally found that ie in the iframe inside the page to write a cookie when there are some security restrictions, resulting in the read cookie is unsuccessful, find a good long-time solution, important to find the following methods:

1. The cookie on the page cannot be a cookie for the browser process (including a verification ticket and a cookie that does not set a timeout), otherwise the cross-domain will not be able to be taken. This is a relatively small number of people who do cross-domain cookies. But actually pay attention to the programs that the next few universities do, There is a slight mention of their authentication module in which the cookie is set to timeout time.

2. When using the IFRAME, remember to add the P3P information on the page header of the corresponding dynamic page, otherwise IE will consciously put the cookie in the IFrame box to prevent, resulting in problems. It is not in itself to save nature. This is actually a question of frameset and cookies, You'll encounter it with a frame or an IFRAME.

3. Output trace during testing will reduce the workload of many Tests.

You only need to set the P3P HTTP Headerto successfully set the cookie across domains within the implied iframe. The content they use is:

p3p:cp= ' CURa ADMa DEVa Psao psdo our BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR '

ASP directly in the head with a head statement, test effective.
<%response.addheader "P3P", "Cp=cao PSA our"%>

PHP, it should be the following wording:
Header (' P3p:cp=cao PSA our ');

Asp. NET words
By adding Response.AddHeader ("P3P", "Cp=cao PSA our") to the code, or by starting the ASP. NET State Service in the window service.

Jsp:
Response.setheader ("P3P", "Cp=cao PSA our")

You can add a P3P compact policy header to your child content, and you can declare that no malicious actions is performed With the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie is set.

Visit the following MSDN Web site for a complete list of satisfactory and unsatisfactory policy codes:

Privacy in Internet Explorer 6
Http://msdn.microsoft.com/workshop/security/privacy/overview/privacyie6.asp(http://msdn.microsoft.com/ workshop/security/privacy/overview/privacyie6.asp)

A Simple Compact policy which fulfills this criteria follows:

p3p:cp= "CAO PSA our"

this code sample shows that your site provides I access to your own contact information (CAO), That any analyzed data was only "pseudo-analyzed", which means the data is connected to your online persona and not t O Your physical identity (PSA), and that your data are not supplied to any outside agencies for those agencies .

You can set the this header if your use the  Response.AddHeader  method on an ASP page. In ASP., you can use the response.appendheader  method. You can use the IIS Management snap-in (inetmgr) to add-a static file. 

Follow these steps to add this head Er to a static file:

1. Click Start, click Run, and then type inetmgr.
2. In the left navigation page, click the appropriate file or directory in your Web site to which you want to add the header, Right-click the file, and then click Properties.
3. Click the HTTP Headers tab.
4. In the Custom HTTP Headers Group box, click Add.
5. Type P3P for the header name, and then for the Compact policy string, type cp= ..., where "..." is the appropriate Code for your compact policy.

Alternatively, Internet Explorer users can modify their privacy settings so that they is prompted to accept third party C Ontent. The following steps show how to modify the privacy settings:

1. Run Internet Explorer.
2. Click Tools, and then click Internet Options.
3. Click the Privacy tab, and then click Advanced.
4. Click to select the Override automatic cookie handling check box.
5. To allow ASP and ASP. NET session cookies to is set, click to select the Always allow session cookies check box.
6. To receive a prompt for any type of third party cookie, click prompt in the third-party cookie list.

analysis on the problem of reading and writing cookies in IE6 iframe or frame

First, causes

The realization of the floating window on the customer's website is by adding a link script on the customer's website, the script writes an IFRAME on the customer's website, and the content in this iframe src= "" is the link to the website of the src=, such as "Www.xtb.com/script.js". One of the functional requirements of ICTs is to require a record of the number of times a user has visited the site, which requires cookies to be saved on the guest's computer. However, in IE6, there is no way to read and write cookies in frame and iframe as usual. Because IE6 has joined the platformforprivacypreferences (P3P)-based privacy protection feature, please refer to the "Microsoft announces details of the new privacy protection features IE6"

Article Source: Http://hi.baidu.com/wuchangx
Email:[email protected]

Privacy protection settings in IE6:
Under the Tools menu, select Internet Options. Click on the "Privacy" tab. The default privacy level for IE 6 is set to medium-that is, third-party cookies that block non-contractual privacy policies, third-party cookies that prevent the use of personally identifiable information without your implied license, and limited first-party cookies that use personally identifiable information without implied consent. See:

In IE6, cookies are classified as first party cookies and third party cookies, which are the primary and third parties ' cookies, and so-called third-party cookies are cookies that nest pages in a frame or an IFRAME. For example, ABC Company purchased our products and added a link script (www.xtb.com/test.js) to http://www.abc.com/on its company website, which adds an IFRAME to the ABC company's website. The content of this IFRAME is a page on xtb.com such as (www.xtb.com/List.aspx?cid=1234), and this list.aspx page needs to read and write cookies to record the number of visitors. When visitors visit the website of ABC company, http://www.abc.com/is the first party site, and it is regarded as a third party site, When List.aspx attempts to read and write cookies, IE6 automatically intercepts (a red forbidden icon is displayed under the status bar) and can be viewed with a similar privacy report:

Here are the workarounds that Lingfeng now uses:
----------------------------------------------------
Lingfeng (33446***) 09:28:58
One of the available parts of the PO code in the platform:
Add P3P to HTTP header output stream to resolve an issue where cookies cannot be set under an IFRAME
Response.AddHeader ("P3P", "Cp=cura ADMa DEVa Psao psdo our BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR");
Lingfeng (3344***) 09:31:16
Under IE it is not possible to set cookies in the IFRAME, under FF, but copy the above code to Page_Load to resolve the problem.
---------------------------------------
This method is applied in the 2nd edition of the ICT and passed the test.

Second, P3P

What is P3P?
P3P is a recommendation for privacy protection published by the World Wide Web Consortium, designed to provide privacy protection for Internet users who surf the web. More and more websites now collect some user information when they visit. The starting point of setting the P3P standard is to alleviate the concern that consumers may be infringed on privacy due to the collection of personal information on the website. The idea of the P3P standard is that the privacy policy of the WEB site should inform visitors about the types of information that the site collects, what information will be provided to whom, how long the information will be retained and how much information is used, such as the site should do such as "This site will monitor the pages you visit to improve site usage" or " This site will provide you with the best possible advertising "and other statements." Users who visit the support P3P website have the right to view the site Privacy Report and then decide whether to accept cookies or use the site.

Visit the official P3P page for more technical information: Http://www.w3.org/P3P.

Third, related technical articles

1. help! IE6 is Blocking My cookies[1],[2]
   a). What is P3P?
   b). Why Does IE6 Block My Cookies?
   c). What is Third-party Cookies?
   e). How Can I Prevent IE6 from Blocking My Cookies?
   f). How does I p3p Enable My Web Site and use Compact policies?
   g). I p3p-enabled my Site, but my cookie is still Being Blocked by IE6
   h). My Cookies aren ' t being Blocked, but Users is not Able to View an i). IE6 Privacy report for My Site
2. The Platform for Privacy Preferences 1.0 Deployment Guide
3. Make Your Web Site P3P compliant
   This article describes how to implement P3P policies on a Web site in 6 simple steps.

Iv. solutions to the "crown"

After reading the third section of the article, you will find that the so-called P3P strategy is actually a simple XML file deployed on a Web server that indicates which cookies are intended to be used by the site and for what purpose. This XML file is similar to this format
<meta xmlns= "Http://www.w3.org/2000/12/P3Pv1" >
<POLICY-REFERENCES>
<policy-ref about= "/p3p/policy1.xml" >
<cookie-include
Name= "*"
Value= "*"
domain= "*"
Path= "*"/>
</POLICY-REF>
</POLICY-REFERENCES>
</META>
This file can be written using the IBM P3P Policy Editor, IBM's P3P.

Three ways to deploy:

1. Well-know Location
   /w3c/p3p.xml
   Rename the P3P Reference file file to P3p.xml and place it in the/W3C directory
2. HTTP Header
   p3p:policyref= "Http://www.mysite.com/w3c/p3p.xml" cp= "all DSPs COR NID CUR our IND PUR"
   The CP is a list of 3-character codes (the relevant information has been described on the website). In the above example, the website does not periodically (indefinite) collect relevant data for our company to purchase items (PURchasing) or to complete current activities. Questionable (disputes), unrecognized (nonidentifiable) data is stored as a cookie (NID). Since our website stores the customer number as a cookie, nid should remove it from the list.
   The CP should match the complete strategy, so if you use NID in CP, you should include the <nonident/> tag in your policy file. To match these settings, the verification tool described in the next section checks the above code and, if there is a difference, the Internet Explorer 6.0 browser also checks the policy file and invalidates the policy file
   If it is a dynamic page such as asp/asp.net/jsp/php, you can also add code similar to the following:
   Response.setheader ("P3P", "policyref=" Http://www.mysite.com/w3c/p3p.xml "cp=" all DSPs COR CUR our IND PUR ");
3. Embed a link tag in HTML content
   <link rel= "P3pv1" href= "/w3c/p3p.xml" ></link>

A summary of the cookie problem solving method for IFrame in IE (GO)