Cookie blocked in Iframe for Internet Explorer

Sat 27 June 2015 by Godson

When working with chat application recently which uses user sessions, IE is not saving the cookies. This happens when your webpage gets embedded into an iFrame.

Scenario

Lets say we have two websites example.com and anotherexample.com. Now, in anotherexample.com I have an iFrame SRC="http://example.com/someform.asp". If I open that someform.asp in a seperate window everything works fine, but when I open that form in iframe in this anotherexample.com site, cookies are not saving for example.com. The root cause of this wierd issue is because p3p policy.

What's happening?

As explained here, internet explorer gives the lower level of trust to iframe pages. So, if the page inside iframe doesn't have a privacy policy, it's cookies are blocked. In this case when cookies are blocked session identifier is not sent which gives us a session not found error.

Solution

To overcome this issue or more exactly to say to make IFRAME more trusted, if the inner page(in this case http://example.com/someform.asp) sends a P3P header with a privacy policy that is acceptable to IE, the cookies will be accepted.

You can refer here for creating a privacy policy.

P3P headers are now dead and a solution to bypass IE security is to inject p3p header. Refer below code on how to inject p3p header in python

from django.shortcuts import render_to_response
from django.template import RequestContext

def foo():
   #some code here
   r = render_to_response(template_name, locals(),
                          context_instance=RequestContext(request))
   r['P3P'] = 'CP="Including P3P policy header"'
   return r

The above code is just an example on bypassing IE security i.e. to make IE save cookies for webpage inside an IFRAME we have to include this so called P3P policy header.

Links
Lintel Technologies