Anatoly Lubarsky

The Problem

Q: Why "make sure to implement P3P if using iframes" ?

A: If your application is inside iframe with parent belongs to another domain - cookies will not work for some very common configurations for example IE 6/7 with privacy set to medium. If cookies don't work - session won't work.

Therefore session state turns out useless for your application under Internet Explorer. See - Privacy in Internet Explorer 6.

This is relevant when domain that hosts iframe is different from parent domain. Because of the fact that this is not very common scenario - only a few familiar with the solution.

The Solution

Solution - need to implement P3P header to tell the browser that cookies for your application inside iframe are OK for user privacy.

So, ASP.NET implementation may look like the following (global.asax):

protected void Application_BeginRequest(Object sender, EventArgs e)
{
    //
    HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR\"");
}

BTW, Safari won't accept cross-domain cookies even with the P3P headers.

Related Posts:

• Why "aspnet_regiis -i" is Bad Practices
• ASP.NET: HtmlHead ControlAdapters implementation
• ASP.NET: Override HtmlHead Rendering with ControlAdapters
• ASP.NET: HttpNotFoundHandler Custom Implementation
• ASP.NET 2.0: MasterPage HtmlHead Renders Messy HTML
• ASP.NET 2.0: Bug - XHTML - Javascript Rendering
• ASP.NET: Bug in IIS - .NET runtime versions compatibility
• Atlas, Atlas, Atlas
• Webresource.axd HttpHandler (Compression, Caching, Debug issues)
• ASP.NET 2.0: How do I Video Series is Available