我有两个网站,假设它们是example.com和anotherexample.net。
在anotherexample.net/page.html,我有IFRAME SRC="http://example.com/someform.asp"。 IFRAME显示一个表单供用户填写并提交给http://example.com/process.asp。当我在自己的浏览器窗口中打开表单(“someform.asp”)时,一切正常。
但是,当我在IE 6或IE 7中加载someform.asp作为IFRAME时,不保存example.com的cookie。在Firefox中,此问题不会出现。
出于测试目的,我在http://newmoon.wz.cz/test/page.php上创建了类似的设置。
example.com使用基于cookie的会话(我无能为力),因此如果没有cookie,process.asp将无法执行。 如何强制IE保存这些Cookie?
嗅探HTTP流量的结果:在GET /someform.asp响应中,有一个有效的每会话Set-Cookie头(例如Set-Cookie: ASPKSJIUIUGF=JKHJUHVGFYTTYFY),但在POST /process.asp请求中,没有Cookie总而言之。
Edit3:一些AJAX +服务器端脚本显然能够回避问题,但这看起来非常像一个bug,而且它会打开一整套新的security holes。我不希望我的应用程序使用bug +安全漏洞的组合只是因为它很容易。
编辑: P3P政策是根本原因,完整说明如下。
答案 0 :(得分:427)
答案 1 :(得分:165)
我花了很大一部分时间研究这个P3P的事情,我觉得有必要分享我发现的东西。
我注意到P3P概念已经过时,似乎只是被Internet Explorer(IE)真正使用/强制执行。
最简单的解释是:如果您使用的是Cookie,IE希望您定义一个P3P标头。
这是一个好主意,幸运的是大多数时候不提供此标题不会导致任何问题(阅读浏览器警告)。除非您的网站/网络应用程序使用(i)框架加载到其他网站。这就是IE成为***的巨大痛苦的地方。除非设置了P3P标头,否则它不允许您设置cookie。
知道这一点我想找到以下两个问题的答案:
我的发现是:
这个概念诞生于2002年,令我感到困惑的是,这个过时且合法未实现的概念仍然被IE中的开发人员所强迫。 如果此标头没有任何合法后果,则应忽略此标头(或者,在控制台中生成警告或通知)。没有强制执行!我现在被迫在我的代码中添加一行(并向客户端发送一个标题),它绝对没有。
简而言之 - 保持IE的快乐 - 在PHP代码中添加以下行(其他语言应该类似)
header('P3P: CP="Potato"');
问题解决了,IE很满意这个马铃薯。
答案 2 :(得分:55)
我只需将这个小标题添加到IFrame(PHP解决方案)中的网站即可消除邪恶之眼:
header('P3P: CP="NOI ADM DEV COM NAV OUR STP"');
请记住按ctrl + F5 重新加载您的网站,或者资源管理器可能仍会显示邪恶的眼睛,尽管它工作正常。这可能是我遇到这么多问题的主要原因。
根本没有必要的政策文件。
编辑: 我发现了一个很好的博客文章,解释了IFrame中的cookie问题。它还可以快速修复C#代码: Frames, ASPX Pages and Rejected Cookies
答案 3 :(得分:21)
这隐藏在其他答案的评论中,但我差点错过了,所以看起来它应该得到自己的答案。
要查看:为了让IE接受第三方Cookie,您需要使用名为p3p的http标头以下列格式提供文件:
CP="my compact p3p policy"
但是,p3p在这一点上几乎已经死了作为标准,您可以轻松地让IE工作,而无需投入时间和法律资源来创建真正的p3p策略。这是因为如果您的压缩p3p策略标头无效,IE实际上将其视为一个好的策略并接受第三方cookie。所以你可以使用像这个
这样的p3p头CP="This site does not have a p3p policy."
您可以选择添加指向网页的链接,以解释您没有p3p政策的原因,就像谷歌和Facebook一样(他们指向此处:https://support.google.com/accounts/answer/151657和此处:https://www.facebook.com/help/327993273962160/)。< / p>
最后,重要的是要注意从第三方网站提供的所有文件都需要有p3p标头,而不仅仅是设置cookie的文件,因此您可能无法在PHP,asp中执行此操作。网等代码。您可能最好设置Web服务器级别(即在IIS或Apache中)。
答案 4 :(得分:20)
我也有这个问题,以为我会发布我在MVC2项目中使用的代码。在页面生命周期中添加标题时要小心,否则会出现HttpException“服务器无法在发送HTTP标头后附加标题。”我在OnActionExecuting方法上使用了一个自定义的ActionFilterAttribute(在执行操作之前调用)。
/// <summary>
/// Privacy Preferences Project (P3P) serve a compact policy (a "p3p" HTTP header) for all requests
/// P3P provides a standard way for Web sites to communicate about their practices around the collection,
/// use, and distribution of personal information. It's a machine-readable privacy policy that can be
/// automatically fetched and viewed by users, and it can be tailored to fit your company's specific policies.
/// </summary>
/// <remarks>
/// More info http://www.oreillynet.com/lpt/a/1554
/// </remarks>
public class P3PAttribute : ActionFilterAttribute
{
/// <summary>
/// On Action Executing add a compact policy "p3p" HTTP header
/// </summary>
/// <param name="filterContext"></param>
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
HttpContext.Current.Response.AddHeader("p3p","CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
base.OnActionExecuting(filterContext);
}
}
使用示例:
[P3P]
public class HomeController : Controller
{
public ActionResult Index()
{
ViewData["Message"] = "Welcome!";
return View();
}
public ActionResult About()
{
return View();
}
}
答案 5 :(得分:14)
这是一个关于这个问题的一个很棒的主题,但是我发现一个重要的细节(至少在我的情况下是必不可少的)没有在这里或其他任何地方发布(如果我错过了,我道歉)是P3P必须在第三方服务器发送的 EVERY 文件的标题中传递该行,即使文件未设置或使用诸如Javascript文件或图像等Cookie。否则cookie将被阻止。我在这里的帖子中有更多内容:http://posheika.net/?p=110
答案 6 :(得分:5)
如果有人在寻找Apache系列;我们用过这个。
标题集P3P“CP = \”谢谢IE8 \“”
只要有P3P标题,我们将CP值设置为什么并不重要。
答案 7 :(得分:5)
任何在node.js中遇到此问题的人。
然后添加此p3p模块,并在中间件上启用此模块。
npm install p3p
我正在使用快递,所以我将其添加到app.js
首先要求app.js中的模块
var express = require('express');
var app = express();
var p3p = require('p3p');
然后将其用作中间件
app.use(p3p(p3p.recommended));
它将在res对象中添加p3p标头。不需要做任何额外的事情。
您将在以下网址获得更多信息:
答案 8 :(得分:3)
我正在调查有关通过Azure访问控制服务登录的问题,并且无法连接任何内容的正面和反面。
然后,偶然发现了这篇文章https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/
简而言之,IE不会跨区域共享Cookie(例如,互联网与受信任的网站)。
因此,如果您的IFrame目标和html页面位于不同的区域,P3P将无法提供任何帮助。
答案 9 :(得分:3)
我在这里没有提到的一个解决方案是使用session storage而不是cookie。 当然,这可能不符合每个人的要求,但在某些情况下,这很容易解决。
答案 10 :(得分:3)
This post提供了一些关于P3P的评论和一个简化的解决方案,可以减少IE7和IE8的问题。
答案 11 :(得分:3)
可能要做的一件事是将域添加到工具中允许的网站 - &gt;互联网选项 - &gt;隐私 - &gt;网站:somedomain.com - &gt;允许 - &gt;行。
答案 12 :(得分:2)
之前我已经实施了完整的P3P政策,但不想再为我正在开展的新项目解决麻烦。我发现此链接对于问题的简单解决方案很有用,只需要指定“CAO PSA OUR”的最小紧凑P3P策略:
http://blog.sweetxml.org/2007/10/minimal-p3p-compact-policy-suggestion.html
文章引用了一条(现已破损)链接到Microsoft kb文章。该政策为我做了伎俩!
答案 13 :(得分:2)
遇到类似的问题,今天早上还调查了如何生成P3P策略,这里是关于如何生成自己的策略并在网站上使用的帖子:) http://everydayopenslikeaflower.blogspot.com/2009/08/how-to-create-p3p-policy-and-implement.html
答案 14 :(得分:1)
这最终对我有用(经过大量的hastle并使用IBM的策略生成器生成一些策略)。您可以在此处下载政策生成器:http://www.softpedia.com/get/Security/Security-Related/P3P-Policy-Editor.shtml
我无法再从官方IBM网站下载该生成器。
我在Web-App的根文件夹中创建了这些文件
/index.php
/w3c/policy.html (Human readable format)
/w3c/p3p.xml
/w3c/policy.p3p
header('P3P: policyref="/w3c/p3p.xml", CP="ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV DEM"');
<META>
<POLICY-REFERENCES>
<POLICY-REF about="/w3c/policy.p3p#App">
<INCLUDE>/</INCLUDE>
<COOKIE-INCLUDE/>
</POLICY-REF>
</POLICY-REFERENCES>
</META>
<html>
<head>
<STYLE type="text/css">
title { color: #3333FF}
</STYLE>
<title>Privacy Statement for YOUR COMPANY NAME</title>
</head>
<body>
<h1 class="title">Privacy Policy</h1>
<!-- "About Us" section of privacy policy -->
<h2>About Us</h2>
<p>This is a privacy policy for YOUR COMPANY NAME.
Our homepage on the Web is located at <a href="YOURWEBSITE">
YOURWEBSITE</a>.
The full text of our privacy policy is available on the Web at
<a href="ABSOLUTE URL OF THIS FILE">
ABSOLUTE URL OF THIS FILE</a>
This policy does not tell users where they can go to exercise their opt-in or opt-out options.
<p>We invite you to contact us if you have questions about this policy.
You may contact us by mail at the following address:
<pre>FIRSTNAME LASTNAME
YOUR ADDRESS HERE
</pre>
<p>You may contact us by e-mail at
<a href="mailto:info@YOURMAIL.de">
info@YOURMAIL.eu</a>.
You may call us at TELEPHONENUMBER.
<!-- "Privacy Seals" section of privacy policy -->
<h2>Dispute Resolution and Privacy Seals</h2>
<p>We have the following privacy seals and/or dispute resolution mechanisms.
If you think we have not followed our privacy policy in some way, they can help you resolve your concern.
<ul>
<li>
<b>Dispute</b>:
Contact us for further information
</ul>
<!-- "Additional information" section of privacy policy -->
<h2>Additional Information</h2>
<p>
This policy is valid for 1 day from the time that it is loaded by a client.
</p>
<!-- "Data Collection" section of privacy policy -->
<h2>Data Collection</h2>
<p>P3P policies declare the data they collect in groups (also referred to as "statements").
This policy contains 1 data group.
<hr width="50%" align="center">
<h3>Group "App control data"</h3>
<p>We collect the following information:
<ul>
<li>HTTP cookies</li>
</ul>
<p>This data will be used for the following purposes:</p>
<ul>
<li>Completion and support of the current activity.</li>
<li>Web site and system administration.</li>
<li>Research and development.</li>
<li>Historical preservation.</li>
<li>Other purposes<p>Control Flow of the application</p></li>
</ul>
<p>This data will be used by ourselves and our agents.
<p>The data in this group has been marked as non-identifiable. This means that there is no
reasonable way for the site to identify the individual person this data was collected from.
<p>The following explanation is provided for why this data is collected:</p>
<blockquote>This cookie data is only used to control the application within an iframe (e.g. a Facebook App)</blockquote>
<!-- "Use of Cookies" section of privacy policy -->
<hr width="50%" align="center">
<h2>Cookies</h2>
<p>Cookies are a technology which can be used to provide you with tailored information from a Web site. A cookie is an element of data that a Web site can send to your browser, which may then store it on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it.
<p>Our site makes use of cookies.
Cookies are used for the following purposes:
<ul>
<li>Site administration
<li>Completing the user's current activity
<li>Research and development
<li>Other
(Control Flow of the application)
</ul>
<!-- "Compact Policy Explanation" section of privacy policy -->
<hr width="50%" align="center">
<h2>Compact Policy Summary</h2>
<p>The compact policy which corresponds to this policy is:
<pre>
CP="ALL DSP NID CURa ADMa DEVa HISa OTPa OUR NOR NAV"
</pre>
<p>The following table explains the meaning of each field in the compact policy.
<center><table width="80%" border="1" cols="2">
<tr><td align="center" valign="top" width="20%"><b>Field</b></td><td align="center" valign="top" width="80%"><b>Meaning</b></td></tr>
<tr><td align="left" valign="top" width="20%"><tt>CP=</tt></td>
<td align="left" valign="top" width="80%">This is the compact policy header; it indicates that what follows is a P3P compact policy.</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>ALL</tt></td>
<td align="left" valign="top" width="80%">
Access to all collected information is available.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>DSP</tt></td>
<td align="left" valign="top" width="80%">
The policy contains at least one dispute-resolution mechanism.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>NID</tt></td>
<td align="left" valign="top" width="80%">
The information collected is not personally identifiable.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>CURa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for completion of the current activity.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>ADMa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for site administration.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>DEVa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for research and development.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>HISa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for historical archival purposes.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>OTPa</tt></td>
<td align="left" valign="top" width="80%">
The data is used for other purposes.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>OUR</tt></td>
<td align="left" valign="top" width="80%">
The data is given to ourselves and our agents.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>NOR</tt></td>
<td align="left" valign="top" width="80%">
The data is not kept beyond the current transaction.
</td></tr>
<tr><td align="left" valign="top" width="20%"><tt>NAV</tt></td>
<td align="left" valign="top" width="80%">
Navigation and clickstream data is collected.
</td></tr>
</table></center>
<p>The compact policy is sent by the Web server along with the cookies it describes.
For more information, see the P3P deployment guide at <a href="http://www.w3.org/TR/p3pdeployment">http://www.w3.org/TR/p3pdeployment</a>.
<!-- "Policy Evaluation" section of privacy policy -->
<hr width="50%" align="center">
<h2>Policy Evaluation</h2>
<p>Microsoft Internet Explorer 6 will evaluate this policy's compact policy whenever it is used with a cookie.
The actions IE will take depend on what privacy level the user has selected in their browser (Low, Medium, Medium High, or High; the default is Medium.
In addition, IE will examine whether the cookie's policy is considered satisfactory or unsatisfactory, whether the cookie is a session cookie or a persistent cookie, and whether the cookie is used in a first-party or third-party context.
This section will attempt to evaluate this policy's compact policy against Microsoft's stated behavior for IE6.
<p><b>Note:</b> this evaluation is currently experimental and should not be considered a substitute for testing with a real Web browser.
<p><b>Satisfactory policy</b>: this compact policy is considered <em>satisfactory</em> according to the rules defined by Internet Explorer 6.
IE6 will accept cookies accompanied by this policy under the High, Medium High, Medium, Low, and Accept All Cookies settings.
</body></html>
<?xml version="1.0"?>
<POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1">
<!-- Generated by IBM P3P Policy Editor version Beta 1.12 built 2/27/04 1:19 PM -->
<!-- Expiry information for this policy -->
<EXPIRY max-age="86400"/>
<POLICY
name="App"
discuri="ABSOLUTE URL TO policy.html"
xml:lang="de">
<!-- Description of the entity making this policy statement. -->
<ENTITY>
<DATA-GROUP>
<DATA ref="#business.name">COMPANY NAME</DATA>
<DATA ref="#business.contact-info.online.email">info@YOURMAIL.eu</DATA>
<DATA ref="#business.contact-info.online.uri">YOURWEBSITE</DATA>
<DATA ref="#business.contact-info.telecom.telephone.number">YOURPHONENUMBER</DATA>
<DATA ref="#business.contact-info.postal.organization">FIRSTNAME LASTNAME</DATA>
<DATA ref="#business.contact-info.postal.street">STREET</DATA>
<DATA ref="#business.contact-info.postal.city">CITY</DATA>
<DATA ref="#business.contact-info.postal.stateprov">STAGE</DATA>
<DATA ref="#business.contact-info.postal.postalcode">POSTALCODE</DATA>
<DATA ref="#business.contact-info.postal.country">Germany</DATA>
</DATA-GROUP>
</ENTITY>
<!-- Disclosure -->
<ACCESS><all/></ACCESS>
<!-- Disputes -->
<DISPUTES-GROUP>
<DISPUTES resolution-type="service" service="YOURWEBSITE CONTACT FORM" short-description="Dispute">
<LONG-DESCRIPTION>Contact us for further information</LONG-DESCRIPTION>
<!-- No remedies specified -->
</DISPUTES>
</DISPUTES-GROUP>
<!-- Statement for group "App control data" -->
<STATEMENT>
<EXTENSION optional="yes">
<GROUP-INFO xmlns="http://www.software.ibm.com/P3P/editor/extension-1.0.html" name="App control data"/>
</EXTENSION>
<!-- Consequence -->
<CONSEQUENCE>
This cookie data is only used to control the application within an iframe (e.g. a Facebook App)</CONSEQUENCE>
<!-- Data in this statement is marked as being non-identifiable -->
<NON-IDENTIFIABLE/>
<!-- Use (purpose) -->
<PURPOSE><admin/><current/><develop/><historical/><other-purpose>Control Flow of the application</other-purpose></PURPOSE>
<!-- Recipients -->
<RECIPIENT><ours/></RECIPIENT>
<!-- Retention -->
<RETENTION><no-retention/></RETENTION>
<!-- Base dataschema elements. -->
<DATA-GROUP>
<DATA ref="#dynamic.cookies"><CATEGORIES><navigation/></CATEGORIES></DATA>
</DATA-GROUP>
</STATEMENT>
<!-- End of policy -->
</POLICY>
</POLICIES>
答案 15 :(得分:1)
我知道在这个问题上做出贡献有点晚了但是我失去了很多时间,也许这个答案对某些人有帮助。
我试图在我的网站上调用第三方cookie,当然,即使在安全级别较低的情况下,它也无法在Internet Explorer 10上运行...不要问我原因。在iframe中,我用ajax调用了read_cookie.php(echo $ _COOKIE)。
我不知道为什么我无法设置P3P策略来解决问题......
在我的搜索过程中,我看到了一些关于在JSON中使用cookie的方法。我甚至都没有尝试,因为我认为如果cookie不会通过iframe,它将不再通过数组......
猜猜是什么,确实如此!所以如果你对你的cookie进行json_encode然后在你的ajax请求之后解码,你就会得到它!
也许有一些我错过的东西,如果我这样做,我所有的道歉,但我从未见过如此愚蠢的东西。为安全起见阻止第三方cookie,为什么不,但如果编码则让它通过?安全现在在哪里?
我希望这篇文章会对某人有所帮助,如果我错过了什么而且我很蠢,请教育我!
答案 16 :(得分:1)
如果您拥有需要嵌入的域,那么您可以在调用包含IFrame的网页之前重定向到该域,该域将创建Cookie并重定向回来, 如下所述:http://www.mendoweb.be/blog/internet-explorer-safari-third-party-cookie-problem/
这适用于Internet Explorer,但也适用于Safari(因为Safari也会阻止第三方Cookie)。
答案 17 :(得分:1)
您还可以将p3p.xml和policy.xml文件组合在一起:
/home/ubuntu/sites/shared/w3c/p3p.xml
<META xmlns="http://www.w3.org/2002/01/P3Pv1">
<POLICY-REFERENCES>
<POLICY-REF about="#policy1">
<INCLUDE>/</INCLUDE>
<COOKIE-INCLUDE/>
</POLICY-REF>
</POLICY-REFERENCES>
<POLICIES>
<POLICY discuri="" name="policy1">
<ENTITY>
<DATA-GROUP>
<DATA ref="#business.name"></DATA>
<DATA ref="#business.contact-info.online.email"></DATA>
</DATA-GROUP>
</ENTITY>
<ACCESS>
<nonident/>
</ACCESS>
<!-- if the site has a dispute resolution procedure that it follows, a DISPUTES-GROUP should be included here -->
<STATEMENT>
<PURPOSE>
<current/>
<admin/>
<develop/>
</PURPOSE>
<RECIPIENT>
<ours/>
</RECIPIENT>
<RETENTION>
<indefinitely/>
</RETENTION>
<DATA-GROUP>
<DATA ref="#dynamic.clickstream"/>
<DATA ref="#dynamic.http"/>
</DATA-GROUP>
</STATEMENT>
</POLICY>
</POLICIES>
</META>
我发现添加标头的最简单方法是通过Apache代理并使用mod_headers,如下:
<VirtualHost *:80>
ServerName mydomain.com
DocumentRoot /home/ubuntu/sites/shared/w3c/
ProxyRequests off
ProxyPass /w3c/ !
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ProxyPreserveHost on
Header add p3p 'P3P:policyref="/w3c/p3p.xml", CP="NID DSP ALL COR"'
</VirtualHost>
因此我们将除了/w3c/p3p.xml以外的所有请求代理到我们的应用服务器。
您可以使用W3C validator
对所有内容进行测试答案 18 :(得分:0)
在Rails中我正在使用这个gem:https://github.com/merchii/rack-iframe 从某种程度上说,它设置了一组没有参考文件的缩写:https://github.com/merchii/rack-iframe/blob/master/lib/rack/iframe.rb#L8
当你完全不关心p3p的含义时,很容易安装。
答案 19 :(得分:0)
如果您能够使用静态内容发送自定义服务器端响应标头,则仅。
有关更详细的说明,请参阅我的答案:Set P3P code in HTML
答案 20 :(得分:0)
在Rails 3.2中我正在使用:
class ApplicationController < ActionController::Base
before_filter :set_p3p
private
# for IE session cookies thru iframe
def set_p3p
headers['P3P'] = 'CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"'
end
end
我从http://dot-net-web-developer-bristol.blogspot.com/2012/04/setting-p3p-header-in-rails-session.html
得到了这个答案 21 :(得分:-1)
更好的解决方案是在iframe内部进行Ajax调用,以获取/设置cookie ...