Navigation

Feed your aggregator (RSS 2.0)   Send mail to the author(s)

Recent Entries
Archives
<May 2011>
SunMonTueWedThuFriSat
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234


Categories
Blogroll
Login

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.


Copyright 2014 Manish Kumar Singh
 Wednesday, June 01, 2011
Compact P3P settings with IIS7
Yesterday, I came across a problem where cookies created by application X was not readable to application Y, because X was running under an IFrame, when it created a cookie. Though, both X and Y belonged to same domain, still IE was whining about it. This is a problem with all IE 6 and onwards, Chrome and few other browsers. Firefox works like a breeze. This happens because cookie from an IFrame are treated as Third Party cookies and are restricted by browsers for any kind of spam.

So how the heck do I say the browser that X and Y are legitimate brothers

Simple ... do you have the birth certificate or any document to prove it? No ?? ok, so prepare it ... go to sites like p3p Edit or p3p Writer, pay around $30 - $40 to generate a document. It will generate the policy Xml and compact P3P string for you. Now you need to carry this proof everywhere you go. I mean this compact p3p needs to be attached to every response headers. When a client browser finds this p3p header, it assumes that the site is not a spam and let's other application read the cookie.

Hmmm ... nice security!

So, is it monitored or works like x.509 certificate?

Nope!
It is a standard declaration and as per W3W standards, but frankly, I don't even know if this has anything to do with law!!
But still browsers need it ... hmmm!

I'll take your word

Ok ... it's still not that strict, if you can give your word that X is a brother of Y.

You can provide a compact oath statement called compact p3p everytime you make response, to tell the clients that X or Y is not a spam. You don't need to spend $30-$40 now ... you can do it later.

In a way, the ball is in your court, when you say ... Noooo I am not doing any spam, and not collecting any user data ... bla bla bla. And you have to say it like oath or a legal statement comprised of standard words and points. Well this is what compact p3p is!

To understand these huge list of words and their meaning you can refer to p3pwriter .. All the best!

Fine .. I'll take your word and allow the cookies. So you can attach the proof through a module by adding a header to every response

HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR...\"");

Or through IIS

IIS 7 settings for compact p3p

I'll show you how to apply for root, so that all sites inside IIS 7 has the header automatically attached to the response. However, you may opt for a particular site, or a folder.
On IIS root look for Http Response Headers item in the features view on the right pane. Add an entry to this header
Name = p3p
Value = CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Thats it! you have declared that X and Y are brothers ... :-).

By doing this you have now allowed the cookies to be shared between IFrame. Later ... you need to have a policy purchased and placed in a URL that can be read by clients and treat your decleration legitimate.

.Net
Tuesday, May 31, 2011 11:00:08 PM (GMT Standard Time, UTC+00:00)  #  Comments [418] Trackback