Menu
I have some JavaScript hosted on domain A that makes JSONP requests to a service on domain B. A request to B/Auth sets a cookie containing an authentication token. Subsequent requests to other services on domain B should also contain this cookie.
In Chrome this mechanism works perfectly; the cookie is set, sent, and data is returned. In IE10 the Set-Cookie header comes back with the response from B/Auth but is not included with subsequent requests.
Set-Cookie MINT_SESSIONTOKEN=MyDST={TOKEN}; expires=Thu, 10-Oct-2013 11:57:45 GMT; path=/; HttpOnly
After some Googling and experimentation I discovered that if I set IE's privacy settings (Internet Options > Privacy) to Low or Accept All Cookies then the cookie is sent with subsequent requests to domain B. Any setting higher than Low prevents the cookie from being sent.
While this solves the issue for me it does not solve the problem for users who would have to reconfigure their privacy settings in order to get data.
I'm a bit confused as to what exactly is happening under the hood. I think IE sees the cookie as third party and prevents it from being set (despite the cookie being set for, and sent to, domain B) which is why it is omitted in subsequent requests.
Is there something I can do to prevent IE from blocking the cookie without the user having to modify their browser privacy settings?
495
It turns out I needed a Compact Privacy policy.
http://www.p3pwriter.com/LRN_111.asp
http://msdn.microsoft.com/en-us/library/ms537343%28v=vs.85%29.aspx
http://www.marco.org/2007/04/27/p3p-sucks-how-to-get-frame-cookies-unblocked-in-ie6
76
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
