iFrames + Google Analytics + Cookies + P3P

Question

I am working on a website that generates traffic for partner sites. When a partner site's logo is clicked on our site we open the partner site in a page that contains our basic header and the partner site within an iframe. Earlier we were simply opening the partner site in new window. All cool so far.

Most partner sites use google analytics to track the traffic that we send them and soon after we started opening sites within iframe our partners reported that google analytics does not track data anymore (or tracks just a fraction of data).

I have done my fair share of homework/research on googleverse and found the know issue with google analytics or cookies in general across domains and iframes.

I am trying to resolve this issue and the only solution that has been referenced is the use of P3P headers.

1. First, where do the P3P headers go? In my sites pages or the partner sites pages. Since we have many partner sites (big and small) it wont be practical if the solution is to put tags in each of these sites. I can easily have them added to the page that contains the iframe.

2. Among the various p3p header generators is there a reliable one that you recommend?

3. Is there any way around this issue? I really need to open the sites in iframes and obviously the partner sites really need to track the traffic.

Thank you for the help.

Answer 1

Unfortunately, both you and the partner site needs to set the headers.

Alternatives:

• If you do not want the partner site to set headers, one option is to lower the security level (in IE) or grant access to 3rd party cookies (in FF) in the browser settings. Every client has to do this, so this may not be an attractive solution.
• Use localStorage (HTML5 thingy - browsers that support localStorage allow access to both the site and the iFrame's content that is stored in localStorage). This may not be feasible in the short term as it requires both you and your partner site to implement saving/reading information to/from localStorage and not every browser supports it (older IE browsers especially).

To add a basic policy header (ideally you should generate your own policy which is straight forward - check item#2 below)

in php add this line:

<?php header('P3P: CP="CAO PSA OUR"'); ?>

in ASP.Net :

HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR\"");

in HTML pages:

<meta http-equiv="P3P" content='CP="CAO PSA OUR"'>

---

Regarding your other concerns:

1) P3P headers refer to the HTTP header that delivers something called a compact policy to the browser. Without such a policy in place, IE (most notably) and other browsers will block access to 3rd party cookies (a term used to refer to iFrame's cookies) to protect user's privacy concerns.

As far as Google Analytics goes, both your site and the partner site still needs to configure cross domain tracking as outlined in their documentation.

2) You can use this basic policy header (which is enough to fix iFrame's cookies):

P3P: CP="CAO PSA OUR"

or generate your own. If you're not sure what those terms mean, see this .

To generate such policy, you can use online editors such as p3pedit.com or IBM's tool which present a set of questions and allow you to present answers. This makes it easy for you to quickly generate such policy. You can generate the policy XML , compact policy and more.

3) You can try the two alternatives mentioned above.

Steps to add the policy to your entire site

1. Generate a compact policy (using one of the tools mentioned earlier) or use the basic policy
2. In IIS , right-click the desired page, directory, or site, and then click Properties.
3. On the HTTP Headers tab, click Add.
4. In the Custom Header Name field, type P3P.
5. In the Custom Header Value field, enter your Compact P3P Policy (or the basic one from above) and then click OK.
6. In Apache , a mod_header line like this will do:

 Header append P3P "CP=\\"CAO PSA OUR\\"" 

Hope ths helps.