ASP.NET Website working within a frame

I recently was tasked with creating an ASP.NET Website that will run within a Frame on another domain.

Not realising the inherent problem with this method, I set about happily creating a website as I normally do oblivious to the impending problems about to be uncovered.
In development my website worked as expected, passed QA testing and was on it’s way up to production where it would finally be placed inside it’s frame for use.

So imagine the “Shock and Awe” when the application didn’t work what so ever. Like it couldn’t maintain a session.

So it turns out depending on Browser security settings, 3rd party cookies are disabled and websites within frames can not rely on cookies and can therefore not utilise session cookies.
Luckily however there is a simple solution for this.

All we need to do is add a p3p – Privacy Preferences Project - header which will indicate to the browser that this is in fact a site that can be trusted.
In essence this published a privacy policy which states what kind of information is collected and whether it will be used for forces of true evil or not.
Personally I don’t quite get it, because anyone intending on abusing this system can do just the same to get their pirate hacking sites to work.

But that’s not me, I behave, so I’m happy there’s a solution!
Well, enough pre-amble … let’s code!!

This is the header you have to:

HttpContext.Current.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

I utilise this by placing it into an HttpModule like follows:

    1 namespace WebDude

    2 {

    3     public class PrivacyPreferencesHeader : IHttpModule

    4     {

    5         public void Init(HttpApplication context)

    6         {

    7             context.BeginRequest += context_BeginRequest;

    8         }

    9 

   10         private void context_BeginRequest(object sender, EventArgs e)

   11         {

   12             HttpContext.Current.Response.AddHeader("p3p", "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");

   13         }

   14 

   15         public void Dispose()

   16         {

   17 

   18         }

   19     }

   20 }

Reference this HttpModule in your Web.Config’s HttpModule section

<add name="PrivacyPreferencesHeader" type="WebDude.PrivacyPreferencesHeader, WebDude"/>

You can download the csharp source file here

Googling on the web, I found the same solution for some other languages thanks to this post

PHP
header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

JSP
response.setHeader("P3P","CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'")

Coldfusion
<cfheader name="P3P" value="CP='IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT'" />

posted @ Wednesday, January 21, 2009 7:43 AM

Print
«August»
SunMonTueWedThuFriSat
2930311234
567891011
12131415161718
19202122232425
2627282930311
2345678