The opinions expressed herein are my own personal opinions and do not represent
my employer's view in any way.
Copyright 2013 Manish Kumar Singh
Wednesday, June 01, 2011
Compact P3P settings with IIS7
Yesterday, I came across a problem where cookies created by application X was not
readable to application Y, because X was running under an IFrame, when it created
a cookie. Though, both X and Y belonged to same domain, still IE was whining about
it. This is a problem with all IE 6 and onwards, Chrome and few other browsers.
Firefox works like a breeze. This happens because cookie from an IFrame are treated as Third
Party cookies and are restricted by browsers for any kind of spam.
So how the heck do I say the browser that X and Y are legitimate brothers
Simple ... do you have the birth certificate or any document to prove it? No ??
ok, so prepare it ... go to sites like
p3p Edit or p3p Writer,
pay around $30 - $40 to generate a document. It will generate the policy Xml and
compact P3P string for you. Now you need to carry this proof everywhere you go.
I mean this compact p3p needs to be attached to every response headers. When a client
browser finds this p3p header, it assumes that the site is not a spam and let's
other application read the cookie.
Hmmm ... nice security!
So, is it monitored or works like x.509 certificate?
It is a standard declaration and as per W3W standards, but frankly, I don't even
know if this has anything to do with law!!
But still browsers need it ... hmmm!
I'll take your word
Ok ... it's still not that strict, if you can give your word that X is a brother of Y.
You can provide a compact oath statement called compact p3p everytime you make response, to tell the clients that X or Y is not a spam.
You don't need to spend $30-$40 now ... you can do it later.
In a way, the ball is in your court, when you say ... Noooo I am not doing any spam, and not collecting any user data ... bla bla bla.
And you have to say it like oath or a legal statement comprised of standard words and points. Well this is what compact p3p is!
To understand these huge list of words and their meaning you can refer to
p3pwriter .. All the best!
Fine .. I'll take your word and allow the cookies.
So you can attach the proof through a module by adding a header to every response
HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR...\"");
Or through IIS
IIS 7 settings for compact p3p
I'll show you how to apply for root, so that all sites inside IIS 7 has the header automatically attached to the response.
However, you may opt for a particular site, or a folder.
On IIS root look for Http Response Headers item in the features view on the right pane.
Add an entry to this header
Name = p3p
Value = CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Thats it! you have declared that X and Y are brothers ... .
By doing this you have now allowed the cookies to be shared between IFrame.
Later ... you need to have a policy purchased and placed in a URL that can be read by clients and treat your decleration legitimate.
Tuesday, May 31, 2011 11:00:08 PM (GMT Standard Time, UTC+00:00) Trackback