Call us Toll-Free:
1-800-218-1525
Live ChatEmail us

 Sponsors

How to get Internet Explorer to use cookies inside a frame to a third party site.

Brett Batie, 09-16-2008
In the past we used to be able to have a frame (or an iframe) load a third party site and it would just work. With Internet Explorer 6 and 7 there has been a security "enhancement" that can cause a web developer a bit of grief. This enhancement added "The Platform for Privacy Preferences" also known as P3P to Internet Explorer.


The point of P3P is to make a websites privacy policy transparent. This allows users to quickly find the privacy policy of a website. The privacy policy in of a website can be seen by clicking the eye icon in the status bar of Internet Explorer. P3P enabled browsers can also automatically load the policy and determine if the site is safe for the user. This is where the problem can occur when loading a third party site in a frame with Internet Explorer.

IE's Default Setting

By default Internet Explorer has a privacy setting of Medium. This can be seen by going to Tools -> Internet Options and clicking on the Privacy Tab. On this setting it will block third-party cookies that do not have a compact privacy policy.

It Just Doesn't Work

Here is an example of what just won't work in Internet Explorer when using frames. First you create your frameset page and it looks something like the following.


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<
html xmlns="http://www.w3.org/1999/xhtml">
<
head>
  <
title></title>
</
head>
  <
frameset cols="180,*">
    <
frame src="http://www.site1.com/site1.html" scrolling="yes" frameborder="1" />
    <
frame src="http://www.site2.com/site2.html" scrolling="yes" frameborder="1" />
  </
frameset>
</
html>
Then you upload that html file to Your-Website.com and you display the page in Internet Explorer which gives you something like the following.


At this point everything looks good but as soon as you click the "submit" button you find out that nothing happens. The reason is because both site1.com and site2.com are third party sites and they are using cookies. In order to fix this issue both site1.com and site2.com will need to install a privacy policy.

Installing a Privacy Policy (P3P)

Installing a generic privacy policy can be as simple as adding the following code to the header output on your website. Which would look like this when using php:


@header('P3P: CP="CAO COR CURa ADMa DEVa OUR IND ONL COM DEM PRE"');
Now that was easy. But it probably is not a good solution if you want to actually know what your visitors will see with your privacy policy. This is where it can get a little more complicated. You could read up on it by going to the Platform for Privacy Preferences (P3P) Project but that is not the easiest read. An easier solution is to use a P3P generation tool which will guide you along the process of creating your own unique privacy policy.

Verify That Your Policy Is Installed

There are a couple ways to view if your privacy policy is installed correctly. First, you could go to the website in Internet Explorer and then click "Page" -> "Web Page Privacy Policy". A dialog box will pop up and you can select your site and click "summary". At this point you will see your privacy policy or a message indicating that your privacy policy could not be found. Another way to view your privacy policy is to use a tool like curl or ieHTTPHeaders. I like this second option a little better as it can give you a little more information to help you troubleshoot any problems.

In order to use curl to view the headers of your website you would issue a command like the following:


curl -I http://your-site.com/
This would then give you outpt like the following:
Server: nginx/0.5.36
Date: Mon, 15 Sep 2008 23:54:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=a7e8bd4550a17be49600891e16c75c73; expires=Wednesday, 24-Dec-08 23:54:33 GMT; path=/; domain=.your-site.com.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
P3P: CP="CAO COR CURa ADMa DEVa OUR IND ONL COM DEM PRE"
The last line starting with P3P tells you that you have a privacy policy installed. At this point if everything works you are done. But, if your output looks almost identical to the above output. You still have one more problem to solve.


One Thing to Watch Out For

There is one small problem with the above output that curl generated. It really is not hard to solve but can take a little bit to find if you don't know to look for it. The problem is the cookie is generated before the Privacy Policy. Which means that Internet Explorer will reject the cookie because at the time the cookie is being created the browser has not yet received the privacy policy. The only thing that needs to be done to fix this issue is move the P3P header code to be output before the cookie generation code.

Paul, 04-07-2011
Worked great. Thanks for sharing this.

bertusvandalen, 08-17-2013
great Brett, thanks for the suggestions, especially the last one! If one notices the cookie rejected in the first load and accepted after a page refresh this should be the case.
Enjoyed this post?

Subscribe Now to receive new posts via Email as soon as they come out.

 Comments
Post your comments












Note: No link spamming! If your message contains link/s, it will NOT be published on the site before manually approved by one of our moderators.



About Us  |  Contact us  |  Privacy Policy  |  Terms & Conditions