Friday, 13 April 2012

Setting a P3P header in Rails - Session cookies in iframes in IE

Friday 13th, and today I spent far too long battling with a problem that I should have recalled from a previous skirmish. Never shall I forget again!

Some versions of IE, on some versions of Windows, have stricter policies regarding 3rd party content served through an iframe. Confusingly, the same browser (IE8 for example) will behave differently on different Win versions: some will allow session cookies, and some won't. You know you've been nobbled when you see the evil eye at the bottom of the browser with a red sign on it.

The way round this is to send a P3P header with a compact privacy policy in your iframed content:
class ApplicationController < ActionController::Base
  before_filter :set_p3p
    # for IE session cookies thru iframe
    def set_p3p
      headers['P3P'] = 'CP="ALL DSP COR CURa ADMa DEVa OUR IND COM NAV"'


  1. You just made my day! Thank you!

  2. Very thank you! Simple and functional.

  3. Nick den Engelsman31 October 2012 at 08:58

    OMG! My week just got a lot better :D
    Many thanks from the Netherlands!

  4. just saved my life :D


Comments are moderated, so you'll have to wait a little bit before they appear!