Monday, January 14, 2008

Why IE rejects your cookies for no apparent reason

Seriously, WTF.

I'll summarize for those of you who are allergic to MSN knowledge base articles, although this one is fairly to-the-point:

If you implement a FRAMESET whose FRAMEs point to other Web sites on the networks of your partners or inside your network, but you use different top-level domain names... IE silently rejects cookies sent from third party sites.

This bit me today while adding facebook support to my text-based game -- I'm going the IFRAME route for fb support rather than rewrite the whole app in FBML thankyouverymuch, and yes, apparently IFRAME counts too for IE retard-mode.

What makes me cry a little inside is not the two hours spent deep in old and crufty login and cookie-setting legacy code wondering what the flaming hell was going on. No, what makes me cry is that I got screwed by a setting that will never block the bad guys, because labeling yourself a good guy is entirely voluntary. It's like someone at MS read the evil bit RFC and took it seriously.

The mind boggles.

In the meantime, if you know where your web framework's cookie code lives, do everyone a favor and patch it now to add that P3P header given in the knowledge base by default. And an option to disable it if you're obsessive-compulsive that way.


Jack Diederich said...

Oh yes, I've even done strange things like use a large number of invisible frames (like 10+) to communicate information. You can count the frames even if you can't see their contents.

Raven said...

If you were supposed to modify the P3P header of the parent content this would actually be a half-decent way of declaring "yes, I have put a little thought into cross-site scripting attacks".

But in the client P3P header? WTF indeed!

I am now feeling smug about having rejected P3P as retarded years ago.

Anonymous said...

I'm not sure I understand your post, but I'm running into a related problem. In IE, in a cross-domain iframe, the browser won't *send* cookies associated with that domain.

Unknown said...

Nice blog it is informative thank you for sharing Python Online Training

شركة ارض الانجاز said...

هذه الشركة توفر خدمات تسليك و تنظيف مواسير الصرف الصحي ، و كذلك توفر أيضا خدمات تنظيف البيارات و غرف التفتيش ، مع الاعتماد على مواد حديثة تعمل على إزابة التكتلات الموجودة بالصرف و التي أدت إلى الانسداد ، و كذلك تقنيات و أجهزة توفر الكشف عن مكان التعطل ، هذا مع توفير إمكانية شفط القاذورات المتراكمة في المكان الذي أصيب بالانسداد ، و تفير خدمات الكشف عن اختلاط الصرف بالمياه
شركة تسليك مجاري بالرياض
المسبح من أهم الأشياء التي تستخدم ربما كشكل ديكوري بداخل المنزل ، أو أنها تستخدم لمزيد من المتعة داخل المنزل ، و لابد من الاهتمام بتنظيفها بشكل دوري حتى لا تكون سببا في نقل الميكروبات و الأمراض ، و هناك العديد من الشركات التي تعمل على تنظيف المسابح بالرياض بأعلى مستوى و منها على سبيل شركة أرض الانجاز
شركة تنظيف مسابح بالرياض
الخزانات من أهم الأشياء التي لابد من وجودها في المنزل ، و ذلك لأنها تعمل على حفظ المياه باستمرار في وقت انقطاعها ، و كذلك تعمل على حفظها بجودة عالية ، و هناك العديد من الشركات التي توفر خدمات عزل الخزانات بالرياض و منها على سبيل المثال شركة أرض الانجاز
شركة عزل خزانات بالرياض

Unogeeks said...

thanks for sharing.Mulesoft is the Most Widely Used Integration Platform. If you want to become Mulesoft Certified Developer, attend this Best Mulesoft Training Course offered by the Unogeeks (Top Mulesoft Training Institute)


I am inspired by your post-writing style & how continuously you describe this topic. Best Pet Surgery in Vizag

Unogeeks said...

nice and interesting post. Keep posting. Thanks for sharing.

Oracle Fusion SCM Online Training

Unogeeks said...

Excellent and informative post. Continue to post. Thank you for revealing.
Oracle Recruiting Cloud Training