P3P set header for IE8 doesn't seem to work
Question
The below P3P setHeader code is present in my CASresponse jsp but doesn't seem to work,
response.setHeader("P3P","policyref=\"http://sso.mydomain.net/w3c/p3p.xml\",
CP=\"CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
Am I missing something here? I am not able to get my third party cookies in IE8.
Is policref required in the header? Should i set a p3p policy for my domain?
Since its a CAS request should i set it when all requests come into CAS?? Say i have entryFilter.java should i set the P3P header there?? Or after the cookie gets created.
I am not able to retain the cookies when IE does a 302 redirect to my serviceUrl.
3 answers
solution1
4 2015-02-13 22:49:05
The short answer first :)
you can add the header simply as
response.setHeader("P3P", "CP=\"CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
but as you need the header on all the resources, better go for the filter
public class P3PFilter implements Filter {
public void destroy() {
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) res;
resp.addHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
filterChain.doFilter(req, resp);
}
public void init(FilterConfig arg0) throws ServletException {
}
}
the long answer
I was suffering from the same issue a while back. Probably just like you, I've did my homework and developed a fair understanding of what P3P policy is and how it is meant to be used. What I was referencing at a time are
Official links
Notable blogs
http://www.marco.org/2007/04/27/p3p-sucks-how-to-get-frame-cookies-unblocked-in-ie6
http://www.techrepublic.com/blog/software-engineer/craft-a-p3p-policy-to-make-ie-behave/
Notable SO questions
Cookie blocked/not saved in IFRAME in Internet Explorer
P3P Policy not working to allow 3rd party cookies in IE
despite all this I was still failing to make it work properly. What I was failing to realize, and what I eventually learned with the help of this amazing book is that, quote
in order to set third-party cookies for Internet Explorer users (with default security settings), you need to return a special P3P HTTP header with your resources that declares how your service intends to employ user data. This header needs to be returned with ALL HTTP responses for your resources, not just those that set cookies. This means static resources, AJAX endpoints, iframes—everything.
I suspect that this could be your issue as well, the P3P policy I use is almost exactly the same as yours, so you're not getting denied over an invalid policy.
I set my header without a URL to a p3p policy, as said in a techrepublic blog
IE does not compare the compact policy to the full-format policy, and the full-format policy is not needed
and this has proven true in my tests. This would mean that you can add the header simply as
response.setHeader("P3P", "CP=\"CAO IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
However, as you need it in all the response better write a filter something like
public class P3PFilter implements Filter {
public void destroy() {
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain filterChain) throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) res;
resp.addHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
filterChain.doFilter(req, resp);
}
public void init(FilterConfig arg0) throws ServletException {
}
}
and applied a filter to all requests.
<filter>
<filter-name>P3P Filter</filter-name>
<filter-class>your.package.P3PFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>P3P Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
solution2
0 2015-02-17 07:44:44
May this helps,try modifying your code with this:
response.setHeader("P3P","CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'");
Also have a look at this:
https://msdn.microsoft.com/en-us/library/ms537343(v=vs.85).aspx#unsatisfactory_cookies
solution3
0 2015-02-20 13:36:14
Basically just write the filter like here http://www.muneebahmad.com/index.php/archives/56 and use the
response.addHeader("P3P", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi
CONi HIS OUR IND CNT\"");
then just map it to the URLs you wish to add this header or use /* for all.
OR
Here you will find almost similar question and accepted answer for the same with details sample code.
Hope it will help.!!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.