How to set third-party cookies with iframe

How to set third-party cookies with iframe?

I had problem with the lead base ad click tracking. I was using the iFrame to track the lead information from the advertiser site. But somehow IE is not sending any cookie information from there. Infect firefox also doesn’t send any cookie information for the first request (i.e. when the iFrame src page is called) but if you call any page from the main file (i.e. specified in the source for iFrame like image or script src), I get the cookies.

What are third-party cookies?

If you put your code on other website using iFrame which calls pages from your site, then the cookies groups are called third party cookies (as both the domains, main page source and iFrame source, are different). Other examples of third party cookies are images or other objects contained in a Web page may reside in servers different from the one holding the page. In order to show such a page, the browser downloads all these objects, possibly receiving cookies. These cookies are called third-party cookies if the server sending them is located outside the domain of the Web page.

Some browsers allow third party cookies and in some browsers, like Internet Explorer, it depends on the privacy settings of the browser. In IE6 (Internet Explorer 6) with the default privacy setting of ‘Medium’, third party cookies will be deleted.

As it turns out, there is a simple solution. If you supply a ‘compact privacy policy’ with your page, then IE will treat the cookies with respect and let them through.

The code

Just add this to the start of your page (every page where cookies will be written):

How to set p3p http header in ASP.Net?

HttpContext.Current.Response.AddHeader("p3p", "CP=\""IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""")

How to set p3p http header in PHP?

header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

How to set p3p http header in JSP?

response.setHeader("P3P","CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'")

How to set p3p http header in ColdFusion?

The above code will set P3P (Platform for Privacy Preferences Project) header. It allows the browser (specially Internet Explorer) to through all the third-party cookies (which may be set through iFrame).

Get our Articles via Email. Enter your email address.

You may also like...

59 Comments

  1. senthil says:

    how to delete the third-party cookies, when i using p3p cookies?

  2. murali says:

    hi viral,
    Ur blog is quiet interesting….. Today i spend more time in ur blog…. Make it quiet more active dude…. have in touch thro’ my mail id….

  3. Viral says:

    Thanks Murali for the comments…
    And do visit again.. you may find more interesting things on this.

  4. Nebu says:

    This exactly solves my problem thanks

  5. jorge says:

    Or, you can do this in .htaccess file on APACHE:

    Header set P3P “policyref=\”/w3c/p3p.xml\”, CP=\”IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\””

  6. Brian says:

    Is this all that I have to do? Just set the P3P in the header? Do I have to create an /w3c/p3p.xml document as well? Anything else? Thanks

  7. Gaurav says:

    Hello Brian, Just set the P3P header with the said values and it will do the rest :)

  8. Alfredo Uribe says:

    Hey, it was just what i needed! thanks a lot.

  9. Jeremy says:

    Works for IE, but not Safari. How do you solve the problem for Safari?

  10. Dan says:

    I’m trying this with a Drupal powered site, in particular on this page http://www.clubtalk.co.uk/online-billing

    I’ve tried adding the PHP code into one of the theme files but it doesn’t seem to work. Anyone know what to do when it comes to Drupal and themes?

  11. thierry says:

    hi, looks great, but what is the code for asp (not .net)?

    I have an asp container page calling a php page in an iframe.

    I have placed this in the asp CONTAINER page:

    I have placed this in the php FRAMED page:

    And I am still blocked on IE7

    thanks for helping…

  12. thierry says:

    my code was removed so I am pasting again

    hi, looks great, but what is the code for asp (not .net)?

    I have an asp container page calling a php page in an iframe.

    I have placed this in the asp CONTAINER page:
    Response.AddHeader “P3P”,”CP=””IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT”””

    I have placed this in the php FRAMED page:
    header(‘P3P:CP=”IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT”‘);

    And I am still blocked on IE7

    thanks for helping…

  13. Ross says:

    Heya!

    Thanks for this. Saved my life.

    Just one thing: the code for ASP.NET is incorrect. You have too many double quotes. It should be:

    HttpContext.Current.Response.AddHeader(“p3p”, “CP=\”IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\””);

    Thanks again,

    Ross

  14. Seph says:

    Hey Gaurav

    Thank you for this post – it saved me quite some time. Apparently just implementing W3\’s p3p policy files isn\’t enough, these magic headers are needed to enable third party cookies in IE. Safari 4 and FF 3 seems to work without issues both before and after this.

    Regards
    Seph

  15. Alonso says:

    doesnt work for me….
    i had this code right in the top of my page.

    response.setHeader(“P3P”, “CP=\”IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\””);

    in a file named p3p.jsp

    so in another page i do this

    <%@ include file=\"/common/p3p.jsp\" %>

    <html>
    .
    .
    .
    </html>

    i have this code in all the pages that goes inside of an iframe of other domain.
    Do i need to put the same code in the the pages that includes the iframe content.

    what does IDC, DSP, COR, ADM, ….. mean ?

    Im using spring framework , should i put the code in the controller before returning the view ?

    im meaning this…..

    response.setHeader(\"P3P\", \"….\");
    return new ModelAndView(\"thepage\", map);

    thanks id advance….

  16. Alonso says:

    Its done.

    I already got it working.

    i just put.

    reponse.addHeader(\"P3P\", \"CP=\"\\\" IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA \\\"\");
    before returning the view. instead of putting this alone in a jsp file.

    thank you

    • simply says:

      this doesn’t work for me.
      i have this code:
      response.setHeader(“P3P”, “CP=\”IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\””);
      at the top of every jsp page.
      i tried also
      .
      the cookies are still not being passed in IE.
      im using java in spring framework.
      any ideas?
      you say to add it to the view in the controller.
      what does that mean exactly and why would it be different than adding it to the top of the jsp page?

  17. Jimmy says:

    This does not work with Firefox 3.5.3 (didnt try any other version) when disabling 3rd party cookies via about:config and changing network.cookie.cookieBehavior value to 1.

    /Jimmy

  18. Greg says:

    You can’t just set the headers anymore (for IE8 anyways).
    You have to have a valid p3p.xml file in place that is referenced from the header.
    There are also a few new ‘gotchas’ that can cause cookies to be blocked.

    It used to be quite easy to overcome the cookie blocking problem (using basic headers) but updated browsers are getting tighter and tighter with the whole privacy thing.

    Easiest p3p.xml generator I’ve found (and used ) is http://p3pwiz.com

    Greg

  19. sohbet says:

    thank you for this article …

    • Viral Patel says:

      @sohbet: you welcome.
      Feel free to share/bookmark the article :)

  20. Jack says:

    Hi, this did not work for me. Can you please take a look:

    http://www.koty.org.pl/test_cookie_iframe.html

    I am calling an iframe that sets up Cookies by Javascript. I tried calling them through PHP as well, and it does not work. (header is defined through PHP). Any ideas?

  21. Rob MacDonald says:

    Does anyone know how you can get IE to accept 3rd party cookies when you can’t change the 3rd party site? Is this possible?

  22. hi all,
    the solution did not work for me.
    i put the code in my http header as described but the third party cookies in my iframe are still blocked. any ideas?
    thanks
    martin

  23. MEMark says:

    Hi!

    Any ideas how to solve this for Safari? Is forcing the using to “globally” change his cookie policy the only way?

    Regards
    M

  24. msolution says:

    Hi,
    didnt work for me in IE8, am using an iFrame and ive tried the meta tag and the php header,… it doesnt work with affiliate links, ive also set the p3p.xml file and the policy1.xml file and validated it from the validator at w3c site.

    any help would be appreciated. this is $urgent$ for me,

    M.

  25. Shafiq says:

    P3P header do not resolve the 3rd party cookies in safari, Please share your thoughts if anybody has ever resolved this issue this in safari

  26. Jon says:

    I have created a big site for a client of mine where members come in and there are many links that get loaded into a frame, and he is an affiliate for all theses different sites. We ran into the problem of the 3rd party cookies being blocked so he was missing out on some commissions. We realized the problem when we discovered a shopping cart on one site didn’t work within the frame, but outside the frame it did. Obviously we can’t control these 3rd party sites privacy policy and asking them to change their site would be one heck of a task and I doubted most of them would.

    So I discovered a solution that works in Coldfusion (however, it should work fine in PHP and ASP). Simply do a cfhttp post GET to the site prior to loading it in the frame. This will create the cookies that the site is creating when you land on it and they will no longer be treated as ‘3rd party cookies’ though the IE user will still see the eye in the bar at the bottom about a privacy warning. Who cares, as long as the cookies are being set :-)

  27. Excellent info provided in the post ..

  28. Mikael says:

    Your solution and explonation on how to allow 3rd party cookies just saved my day.
    I had major problems with redirecting from a page embedded in an Iframe in a site on another domain. Just adding your one line of code solved all the problems.

    Thanks for sharing this valuable trick.

    Mikael

  29. Mike says:

    This is BS, could you perhaps explain a little bit better :S

  30. Kot says:

    Then try if it works.

  31. Matt says:

    Any fixes to make this work for Firefox 3.5 and higher?

  32. blazer says:

    Thx soo much for this trick!

  33. Tilli says:

    @MEMark – To solve this in safari, you need to provide a link. you can’t do it directly as safari doesn’t allow this.

    • Vincent says:

      what kind of link?

  34. Hakan Acar says:

    I have a same problem Chrome and Firefox.Sometimes Cookies and Sessions down at the same time.

  35. I have tried various headers, and and also adding this to the Web.Config file
    system.webserver
    httpProtocol
    customHeaders

    but no cookies are save in IE9.
    Also tried setting it manually in the Application_BeginRequest event of an MVC application.
    HttpContext.Current.Response.AddHeader(“p3p”, “CP=\”IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\””);
    Cannot get this to work on IIS running on Windows 7. No cookies saved in the IFrame in IE. Of course it works (without the headers) perfectly in Chrome and FireFox.
    I fact, debugging the site in IE (VS.NET 2010) shows NO cookies at all and every Session cookie is actually created new in every request inside the IFrame.

    Any one tried this in a MVC 3 application?

    • Ok, it is working on IIS running on Windows 2008. Did not work in local dev environment. (Windows 7, iIS7)
      Thx

  36. PM says:

    Many Thanks Gaurav! We were struggling with this issue from last 2 days… Could not thank you enough!

  37. game reviews says:

    An all round great article.

  38. Ryan Searle says:

    I have a WordPress site and am using iframe to embed another site into my one of my pages. The page that is embedded is an online ordering catalog that users must login to and view products. It works great on Safari, Firefox, and Chrome, but Internet Explorer blocked the embedded site in the iframe when I try to log in.

    I have tried to put the PHP header in the top of my WordPress page, but does this have to also be in the page that is embedded in the iframe? If so, I can’t do that and is there another way to embed a web page?

    Thanks,
    Ryan Searle

  39. Laxmikant says:

    hi,

    I faced the problem of set cookie using php for windows 7 os with safari 5.1.2(7534.52.7) version.
    my code is as below.

    setcookie($cookie_name, $counter1,time() +3600*24,”/”,”mysubdomain.com”);

    This code works fine for windows7 with 5.1(7534.50)

    any help will be appreciate.

    If anyone faced and resolved this issue

    please reply.

    thanks in advanced.

  40. sekhs says:

    Hi ,

    Is this code to be placed in the content page(outside iframe) or the page inside the iframe.

    Also what about the p3p xml ?

    Thanks,
    Sekh

  41. Yotam says:

    You can’t just set p3p headers and files as much as you want please read this to get an idea of the implecations:
    http://stackoverflow.com/questions/389456/cookie-blocked-not-saved-in-iframe-in-internet-explorer

  42. Franck says:

    Hi,

    In fact, where to put the p3p header ?

    in the webpage creating a framset, or on the external site inside the frame ??

    thanx !

    Franck

  43. olauno says:

    @Frank you would need to place the p3p on any page collecting info as well inside js if going back to a form etc. as well the pages inside the frame which most times reside in a different directory. try the following but you will still need an xml file and ref it in the uri

  44. azepezauer says:

    Apparently this no longer works in Safari. There’s a solution for Safari that involves opening a pop-up window, but I’d like to find another way since the user could have popups blocked as well. Has anybody found a good solution for Safari?

  45. azepezauer says:

    This describes the solution using the popup: http://www.reizbombardement.de/archives/safari-5-1-4-enforces-cookie-policy

  46. rand0m says:

    The ColdFusion tag worked perfectly! IE was allowing me to set normal cookies, but would not store the CF or custom session cookies. This line of code in my Application.cfc file and all is well :)

    Thanks!

  47. Mahesh says:

    Thanks Gaurav. This has worked perfectly for us.

  48. Sammy says:

    Thanks for sharing your thoughts about 3rd party cookies.
    Regards

  49. Greg says:

    Thanks man,
    exactly that solved my issue.

  50. rajesh says:

    I am using third party in my website.so for that i require p3p policy.so is it free version or i have to purchase for same ??
    The application has been developed in Asp.Net.So now i want to implement in same.
    Please help me.
    Thanks in Advance..

  51. richard thompson says:

    How to set p3p http header in HTML?

    I am constructing a website that needs to set a html frame redirect to a third party website, which requires me to enable 1st party cookies. Under my frame structure, the cookies become 3rd party cookies, then I need to accept 3rd party cookies in order to enter this third party website. Is this p3p http header could help me to enter this website without enabling 3rd party cookies?

  52. dowrow says:

    THANK YOU!!
    You saved my day.

  53. tammy says:

    Fix typo “Infect” –> should be “In fact”.

  54. Avmp says:

    Imagine if I have to read this cookie from a second app in ASP.NET, how is it works?
    For example in the first app I set up this P3P and I call a second app through a link to my iframe but on the second App I have to read this cookie to access a custom header inn it, how can I do this?

    regards

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.