Use p3p header to solve IFRAME cross-origin access cookie

Use p3p header to solve IFRAME cross-origin access cookie By update on February 14,200 pm | Permalink | comments (0) | trackbacks (0) currently encountered the problem that IFRAME could not obtain the cookie (Session) when integrating several applications. After Google, the problem was finally solved, record it now.
This is my requirement.
One application was developed using. net. It mainly controls user logon and user access permissions, and is deployed in the Shanghai data center. Call application a now.
Another application is developed in Java, mainly for specific business operations. Deployed in the Beijing data center. Here is application B.
Because there is already an application for user management and permissions Program Therefore, the B application developed by Java does not have the function of developing user permissions and wants to directly use the. NET a program.

 The user access process is as follows:
1. log on to a first. A sets its own cookie and has a link to B's application in the menu of.
2. When a user clicks the link to B's application, a automatically adds the user's token to the link and passes it to B's system.
3. after system B receives the request, it sets the user's token information to the cookie of its own system (system B has a form post operation. If there is no cookie, session, therefore, each request, whether get or post, must explicitly carry the user's token information. The system has a large amount of changes, and the verification method for changing permissions will also be relatively large in the future .)
4. in system B, no tokens are provided for each operation. Therefore, the cookie is used to obtain the token information, and an HTTP request is sent to system, allow System A to verify whether the user has access permissions.
5. If system A's interface returns an accessible status report, system B continues to execute the report. If system a instructs that there is no access permission, system B prompts a controlled access warning message.

All development is complete. When the integration goes online, I find that this process cannot be implemented, and I have to think about it for a long time and I don't know what's going on. Google has spent a long time, it turns out that IE is a zombie, and IE does not allow cross-origin access to cookies (as if Firefox is okay, ie has switched to the W3C p3p protocol since 6.0). Let's look at my application, for the cookie set in step 2, ie drops the cookie blocked of application B for all access requests of application B after Step 3 (because the user's access is initiated from application, from application a's access to application B's stuff, cross-origin access is considered as a security issue by IE ).... (There is a red-eye button in the IE status bar. Click it to see which cookies have been dropped by blocked)

It's easy to understand the cause, and Google knows that you can use the p3p header to solve the problem!
The following is one of the solutions of Java, which is also my solution, but the method is not very good:
Add a p3p header to the response.
Response (). addheader ("p3p", "cp =/" idc dsp cor Cura ADMA our ind PHY onl com STA /"");

CP = "xxx xxxx" has specific meanings:
CP is the meaning of Compact into ies,
In addition, the header value can also be policyref = "http: // myhost/p3p/policyreferences. xml", which is to specify a policy file.

For details, see here.

The following is the specific range and meaning of the value of the extracted compact policies.

Compact policies

Compact policies ies are essentially summaries of p3p limits ies. They can be used by user agents to quickly get approximate information about p3p limit ies, therefore improving performance.

For an in-depth explanation of compact protocols ies, we refer to the p3p1.0 [4] specification. Here, we limit to stating the Syntax:

Compact-policy-field = 'cp = "'compact-policy '"'

Compact-policy = compact-token * ("" Compact-token)

Compact-Token = compact-access |
Compact-disputes |
Compact-remedies |
Compact-non-identifiable |
Compact-purpose |
Compact-recipient |
Compact-retention |
Compact-categories |
Compact-test

Compact-access = "noi" | "all" | "Cao" | "IDC" | "Oti" | "Non"

Compact-disputes = "DSP"

Compact-remedies = "Cor" | "mon" | "law"

Compact-non-identifiable = "NID"

Compact-purpose = "cur" | "ADM" [creq] | "Dev" [creq] | "Tai" [creq] |
"PSA" [creq] | "PSD" [creq] | "IVA" [creq] | "IVD" [creq] |
"Con" [creq] | "his" [creq] | "tel" [creq] | "OTP" [creq]

Creq = "A" | "I" | "O"

Compact-recipient = "our" | "Del" [creq] | "Sam" [creq] | "unr" [creq] |
"Pub" [creq] | "OTR" [creq]

Compact-retention = "nor" | "STP" | "Leg" | "bus" | "IND"

Compact-Category = "phy" | "onl" | "uni" | "pur" | "fin" | "com" |
"Nav" | "int" | "dem" | "CNT" | "sta" | "pol" |
"Hea" | "pre" | "Loc" | "Gov" | "OTC"

Compact-test = "TST"

In addition, here is a p3p verification tool: http://www.w3.org/p3p/validator.html, which can verify the p3p0000.pdf set by the verification tool.

There is also a good blog written by a foreigner. You can also refer to it. Http://www.sitepoint.com/article/p3p-cookies-ie6/2