Summary of solutions to the cookie problem of IFRAME in IE)

When I was doing a Traffic Statistics item recently, I accidentally found that IE had some security restrictions when writing cookies on pages in IFRAME, which led to the failure to read cookies, after finding a solution for a long time, find the following methods:

 

1. the cookie on the page cannot be the cookie of the browser process (including the verification ticket and the cookie without setting the timeout time), otherwise the cross-domain will not be obtained. this is rarely mentioned by people who use cross-origin cookies. however, I actually pay attention to the solutions made by several universities. I have mentioned that the cookies in their verification module set the timeout time.

2. when using IFRAME, remember to add the p3p information to the page header of the corresponding dynamic page. Otherwise, ie will consciously block the cookie in the IFRAME box, causing problems. if it is not saved, it cannot be obtained. this is actually a problem with frameset and cookie, which can be encountered by frame or IFRAME.

3. The trace output during the test reduces the test workload.

You only need to set the p3p HTTP HeaderIn the implicit IFRAME, you can set the cookie across domains. They used the following content:

P3p: Cp = 'cura ADMA Deva psao psdo our bus uni pur int DEM sta pre com nav OTC Noi DSP core'

ASP directly adds a header declaration in the header to test the validity.
<% Response. addheader "p3p", "cp = CaO PSA our" %>

PHP should be written as follows:
Header ('p3p: Cp = CaO PSA our ');

ASP. NET
InCodeAdd response. addheader ("p3p", "cp = CaO PSA our") or start ASP. NET state service in the window service.

JSP:
Response. setheader ("p3p", "cp = CaO PSA our ")

 

 

 

You can add a p3p Compact Policy header to your child content, and you can declare that no malicous actions are stored Med with the data of the user. if Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.

Visit the following msdn Web site for a complete list of satisfactory and unsatisfactory policy codes:

Privacy in Internet Explorer 6
Http://msdn.microsoft.com/workshop/security/privacy/overview/privacyie6.aspHttp://msdn.microsoft.com/workshop/security/privacy/overview/privacyie6.asp)

A simple compact policy that fulfills this criteria follows:

P3p: Cp = "Cao PSA our"

This code sample shows that your site provides you access to your own contact information (CAO), that any analyzed data is only "pseudo-analyzed ", which means that the data is connected to your online persona and not to your physical identity (PSA ), and that your data is not supplied to any outside agencies for those agencies to use (our ).

You can set this header if you useResponse. addheaderMethod in an ASP page. in ASP. NET, you can useResponse. appendheaderMethod. You can use the IIS management snap-in (inetmgr) to add to a static file.

Follow these steps to add this header to a static file:

1. ClickStart, ClickRun, And then typeInetmgr.
2. In the left navigation page, click the appropriate file or directory in your web site to which you want to add the header, right-click the file, and then clickProperties.
3. ClickHTTP headersTab.
4. InCustom HTTP headersGroup box, clickAdd.
5. TypeP3pFor the header name, and then for the Compact Policy string, TypeCP =..., Where "..." is the appropriate code for your compact policy.

Alternatively, Internet Explorer users can modify their privacy settings so that they are prompted to accept third party content. The following steps show how to modify the privacy settings:

1. Run Internet Explorer.
2. ClickTools, And then clickInternet Options.
3. ClickPrivacyTab, and then clickAdvanced.
4. Click to selectOverride automatic Cookie HandlingCheck box.
5. To allow ASP and ASP. NET session cookies to be set, click to selectAlways allow session cookiesCheck box.
6. To receive a prompt for any type of third party cookie, clickPromptInThird-party cookiesList.

Analysis on read/write cookies in IE6 IFRAME or frame

I. Cause

The implementation of the floating window on the customer's website is to add a link script on the customer's website to write an IFRAME on the customer's website, the content in this IFRAME src = "" is directed to the trustpass website, for example, src = "www.xtb.com/script.js ". One of the functional requirements of xintong Bao is to record the number of times users visit the website, which requires that cookies be saved on the visitor's computer. However, in IE6, frame and IFRAME cannot read or write cookies as usual. Because IE6 has added the Privacy Protection Function Based on platformforprivacypreferences (p3p). For more information about this function, see"Microsoft announces details of the new privacy protection feature in IE6"

ArticleSource: http://hi.baidu.com/wuchangx
Email: wuchang@guet.edu.cn

Privacy Protection settings in IE6:
Select "Internet Options" under the "Tools" menu ". Click the "privacy" tab. The default privacy level of IE 6 is set to "medium" -- that is,"Prevent third-party cookies without contractual privacy policies; prevent the use of third-party cookies with personal identifiable information without your implied permission; restrict the use of personal identifiable information without the implied permission of the First-party cookies". See:

In IE6, cookies are divided into first party cookies and third party cookies, that is, first-party cookies and third-party cookies. The so-called third-party cookies refer to cookies nested on pages in frame or IFRAME. For example, ABC purchased our trustpass product and installed the trustpass script (www.xtb.com/test.js) on its website http://www.abc.com/shenzhen. This script adds an IFRAME to the website of ABC, the content of this IFRAME is a page on xtb.com, such as (www.xtb.com/list.aspx? Cid = 1234), and the list. ASPX page needs to read and write cookies to record the number of visitors and other information. When a visitor accesses the ABC website, refer (the red forbidden icon is displayed under the status bar). You can view a privacy report similar to this:

Here are the solutions that lingfeng uses:
----------------------------------------------------
Ling Feng (33446 ***) 09:28:58
One of the available parts of the trustpass code in the Platform:
// Add p3p to the HTTP header output stream to solve the problem that the cookie cannot be set in IFRAME.
Response. addheader ("p3p", "cp = Cura ADMA Deva psao psdo our bus uni pur int DEM sta pre com nav OTC Noi DSP cor ");
Ling Feng (3344 ***) 09:31:16
In IE, you cannot set cookies in IFRAME. In ff, you can copy the above Code to page_load to solve this problem.
---------------------------------------
This method is applied to the 2nd version of the letter Tong Bao and passed the test.

Ii. p3p

What is p3p?
P3p is a privacy protection recommendation standard published by the World Wide Web Consortium (W3C). It aims to provide privacy protection for Internet users who surf the Internet. More and more Websites collect user information when consumers access the website. The purpose of making the p3p standard is to alleviate consumers' concerns about potential infringement of privacy due to website collection of personal information. The concept of the p3p standard is: the privacy policy of a Web site should inform the visitor of the type of information collected by the site, who the information will be provided to, how long the information will be retained, and how the information will be used, for example, the website shall make a statement such as "this website will monitor the pages you visit to improve the site usage" or "this website will provide you with more suitable advertisements as much as possible. Users who access the website that supports p3p have the right to view the site privacy report, and then decide whether to accept cookies or use the website.

Visit the official p3p webpage for more technical information:Http://www.w3.org/P3P.

Iii. Related Technical Articles

1. Help! IE6 is blocking my cookies [1], [2]
   A). What is p3p?
   B). Why does IE6 block my cookies?
   C). What are third-party cookies?
   E). How can I prevent IE6 from blocking my cookies?
   F). How do I p3p enable my Web site and Use compact policies?
   G). I P3P-Enabled my site, but my cookies are still being blocked by IE6
   H). My cookies aren't being blocked, but users are not able to view an I). IE6 privacy report for my site
2. The platform for privacy preferences 1.0 Deployment Guide
3. Make your web site p3p compliant
   This article describes how to implement the p3p policy on the website through six simple steps.

Iv. Official Solution

After reading the article in Section 3, you will find that the so-called p3p policy is actually a simple XML file deployed on the Web server, specifying what cookies the website intends to use and what uses it. This XML file is similar to this format
<Meta xmlns = "http://www.w3.org/2000/12/P3Pv1">
<Policy-references>
<Policy-ref about = "/p3p/policy1.xml">
<Cookie-include
Name = "*"
Value = "*"
Domain = "*"
Path = "*"/>
</Policy-ref>
</Policy-references>
</Meta>
You can use the IBM p3p Policy Editor.IBM's p3p Policy EditorTo compile this file.

Three deployment methods:

1. well-know location
   /W3C/p3p. XML
   rename the p3p reference file to p3p. XML and placed in the/W3C directory
2. HTTP header
   p3p: policyref = "http://www.mysite.com/w3c/p3p.xml" cp = "All DSP cor NID cur our ind pur"
   CP is a list of three-character codes (related information has been described on W3C website) ). In the preceding example, the website occasionally collects data about the purchased item category (purchasing) or current activity (current) for our. Data of disputes and non-identifiable can be used as Cookie storage (NID ). Because our website stores customer numbers as cookies, the NID should be deleted from the list.
   CP should match the complete policy. Therefore, if you use NID in CP, you should include the label in your policy file. In order to match these settings, the verification tool described in the next section checks the above Code. If there are any differences, the Internet Explorer 6.0 browser also checks the policy file and invalidates the policy file.
   if it is an ASP/asp.net/jsp/php dynamic page, you can use the following code:
   response. setheader ("p3p", "policyref =" http://www.mysite.com/w3c/p3p.xml " cp = "All DSP cor cur our ind pur" ");
3. embed link tags in HTML content