Skip to main content

Why IE rejects your cookies for no apparent reason

Seriously, WTF.

I'll summarize for those of you who are allergic to MSN knowledge base articles, although this one is fairly to-the-point:

If you implement a FRAMESET whose FRAMEs point to other Web sites on the networks of your partners or inside your network, but you use different top-level domain names... IE silently rejects cookies sent from third party sites.

This bit me today while adding facebook support to my text-based game -- I'm going the IFRAME route for fb support rather than rewrite the whole app in FBML thankyouverymuch, and yes, apparently IFRAME counts too for IE retard-mode.

What makes me cry a little inside is not the two hours spent deep in old and crufty login and cookie-setting legacy code wondering what the flaming hell was going on. No, what makes me cry is that I got screwed by a setting that will never block the bad guys, because labeling yourself a good guy is entirely voluntary. It's like someone at MS read the evil bit RFC and took it seriously.

The mind boggles.

In the meantime, if you know where your web framework's cookie code lives, do everyone a favor and patch it now to add that P3P header given in the knowledge base by default. And an option to disable it if you're obsessive-compulsive that way.

Comments

Jack Diederich said…
Oh yes, I've even done strange things like use a large number of invisible frames (like 10+) to communicate information. You can count the frames even if you can't see their contents.
Raven said…
If you were supposed to modify the P3P header of the parent content this would actually be a half-decent way of declaring "yes, I have put a little thought into cross-site scripting attacks".

But in the client P3P header? WTF indeed!

I am now feeling smug about having rejected P3P as retarded years ago.
Anonymous said…
I'm not sure I understand your post, but I'm running into a related problem. In IE, in a cross-domain iframe, the browser won't *send* cookies associated with that domain.
Unogeeks said…
thanks for sharing.Mulesoft is the Most Widely Used Integration Platform. If you want to become Mulesoft Certified Developer, attend this Best Mulesoft Training Course offered by the Unogeeks (Top Mulesoft Training Institute)
Unogeeks said…
nice and interesting post. Keep posting. Thanks for sharing.

Oracle Fusion SCM Online Training

Popular posts from this blog

Python at Mozy.com

At my day job, I write code for a company called Berkeley Data Systems. (They found me through this blog, actually. It's been a good place to work.) Our first product is free online backup at mozy.com . Our second beta release was yesterday; the obvious problems have been fixed, so I feel reasonably good about blogging about it. Our back end, which is the most algorithmically complex part -- as opposed to fighting-Microsoft-APIs complex, as we have to in our desktop client -- is 90% in python with one C extension for speed. We (well, they, since I wasn't at the company at that point) initially chose Python for speed of development, and it's definitely fulfilled that expectation. (It's also lived up to its reputation for readability, in that the Python code has had 3 different developers -- in serial -- with very quick ramp-ups in each case. Python's succinctness and and one-obvious-way-to-do-it philosophy played a big part in this.) If you try it out, pleas...

A week of Windows Subsystem for Linux

I first experimented with WSL2 as a daily development environment two years ago. Things were still pretty rough around the edges, especially with JetBrains' IDEs, and I ended up buying a dedicated Linux workstation so I wouldn't have to deal with the pain.  Unfortunately, the Linux box developed a heat management problem, and simultaneously I found myself needing a beefier GPU than it had for working on multi-vector encoding , so I decided to give WSL2 another try. Here's some of the highlights and lowlights. TLDR, it's working well enough that I'm probably going to continue using it as my primary development machine going forward. The Good NVIDIA CUDA drivers just work. I was blown away that I ran conda install cuda -c nvidia and it worked the first try. No farting around with Linux kernel header versions or arcane errors from nvidia-smi. It just worked, including with PyTorch. JetBrains products work a lot better now in remote development mod...

A review of 6 Python IDEs

(March 2006: you may also be interested the updated review I did for PyCon -- http://spyced.blogspot.com/2006/02/pycon-python-ide-review.html .) For September's meeting, the Utah Python User Group hosted an IDE shootout. 5 presenters reviewed 6 IDEs: PyDev 0.9.8.1 Eric3 3.7.1 Boa Constructor 0.4.4 BlackAdder 1.1 Komodo 3.1 Wing IDE 2.0.3 (The windows version was tested for all but Eric3, which was tested on Linux. Eric3 is based on Qt, which basically means you can't run it on Windows unless you've shelled out $$$ for a commerical Qt license, since there is no GPL version of Qt for Windows. Yes, there's Qt Free , but that's not exactly production-ready software.) Perhaps the most notable IDEs not included are SPE and DrPython. Alas, nobody had time to review these, but if you're looking for a free IDE perhaps you should include these in your search, because PyDev was the only one of the 3 free ones that we'd consider using. And if you aren...