Cookie & Frame from another domain?

Re: Cookie & Frame from another domain?

>I have a feature that is hosted on a different domain from the primary one[color=blue]
>in a frame, and need to retain values in a cookie.
>
>example: A web page at one.com contains a frame which has a page hosted at
>two.com
>
>If I view the frameset from one.com in Firefox, all works well with the
>content from two.com. But if trying to view this using IE (with standard
>security settings), the cookie set by two.com is not accessible.
>
>Have been tinkering with the domain setting in the setcookie function to
>specify the domain: have tried one.com and two.com, but have not been able
>to get at the cookie value.
>
>How can I get this to work?[/color]

Hopefully you can't on any browser. Cookies from one domain aren't
supposed to be sent to another. For many, many, uses of cookies,
it's a BIG security hole (you're handing credentials to log into one
web site to another web site, which makes session hijacking easy).

Gordon L. Burditt

Re: Cookie & Frame from another domain?

Yes, but it does actually work on any browser I have seen aside from IE
(including Netscape, Firefox Win, Firefox Linux, Safari Mac).

The page in the frame does have a domain associated with it, shouldn't the
cookie be available to that domain? (But not necessarily to the domain of
the hosting frame)



"Gordon Burditt" <gordonb.ag0mk@ burditt.org> wrote in message
news:1244t1u3ue 2pl1c@corp.supe rnews.com...[color=blue][color=green]
> >I have a feature that is hosted on a different domain from the primary
> >one
>>in a frame, and need to retain values in a cookie.
>>
>>example: A web page at one.com contains a frame which has a page hosted at
>>two.com
>>
>>If I view the frameset from one.com in Firefox, all works well with the
>>content from two.com. But if trying to view this using IE (with standard
>>security settings), the cookie set by two.com is not accessible.
>>
>>Have been tinkering with the domain setting in the setcookie function to
>>specify the domain: have tried one.com and two.com, but have not been able
>>to get at the cookie value.
>>
>>How can I get this to work?[/color]
>
> Hopefully you can't on any browser. Cookies from one domain aren't
> supposed to be sent to another. For many, many, uses of cookies,
> it's a BIG security hole (you're handing credentials to log into one
> web site to another web site, which makes session hijacking easy).
>
> Gordon L. Burditt[/color]

Re: Cookie &amp; Frame from another domain?

"Bruno" <2005b@TimesOnT he.Net> wrote in message
news:D0v0g.106$ DR6.12641@news2 0.bellglobal.co m...[color=blue]
> Yes, but it does actually work on any browser I have seen aside from IE
> (including Netscape, Firefox Win, Firefox Linux, Safari Mac).
>
> The page in the frame does have a domain associated with it, shouldn't the
> cookie be available to that domain? (But not necessarily to the domain of
> the hosting frame)[/color]

Relying on an obvious security flaw for functionality is not exactly
planning on the future :)

Having a frame in a page be able to read cookies from the domain in which
the frame is situated is a nasty thing. Someone could inject a frame into a
site's HTML somehow, and have that frame bring up a page on a second server,
and that'll give the second server access to the cookies of the first
server, on that page. Nasty stuff.
[color=blue]
>
>
> "Gordon Burditt" <gordonb.ag0mk@ burditt.org> wrote in message
> news:1244t1u3ue 2pl1c@corp.supe rnews.com...[color=green][color=darkred]
>> >I have a feature that is hosted on a different domain from the primary
>> >one
>>>in a frame, and need to retain values in a cookie.
>>>
>>>example: A web page at one.com contains a frame which has a page hosted
>>>at
>>>two.com
>>>
>>>If I view the frameset from one.com in Firefox, all works well with the
>>>content from two.com. But if trying to view this using IE (with standard
>>>security settings), the cookie set by two.com is not accessible.
>>>
>>>Have been tinkering with the domain setting in the setcookie function to
>>>specify the domain: have tried one.com and two.com, but have not been
>>>able
>>>to get at the cookie value.
>>>
>>>How can I get this to work?[/color]
>>
>> Hopefully you can't on any browser. Cookies from one domain aren't
>> supposed to be sent to another. For many, many, uses of cookies,
>> it's a BIG security hole (you're handing credentials to log into one
>> web site to another web site, which makes session hijacking easy).
>>
>> Gordon L. Burditt[/color]
>
>[/color]

Re: Cookie &amp; Frame from another domain?

Well, I'm not so sure that it's a nasty thing if a frame from a domain has
access to it's own cookies.

In the example I gave, I would intuitively suspect that domain one.com
should have access to cookies created by domain one.com, and that domain
two.com should have access to to cookies created by domain two.com, but they
should not be able to access each other's - That would be an obvious
security breach. You are suggesting thataccessing a cookie from it's own
domain is a breach just because it is contained in a frame? - It does not
make sense.

It strikes me that a frame's contents should be managed as an independant
page (and obviously the feature works in IE if spawned into a "_blank"
window). Perhaps IE is not secure in separating access to a frame's cookies
that are different than it's host frame...

As far as I can see, the contents of the frame belong either to it's own
domain, or the host frame's (which is it?). Setting the cookie as belonging
to one of these two domains should allow me to save values for subsequent
pages. The only alternatives are to pass values as paramters in the page
call (which is inherently more visible to the average user than values
passed in a cookie), or to implement a complex set of forms/posts for
navigation (which would be quite tedious).



"d" <d@example.co m> wrote in message
news:KBv0g.5436 8$wl.37844@text .news.blueyonde r.co.uk...[color=blue]
> "Bruno" <2005b@TimesOnT he.Net> wrote in message
> news:D0v0g.106$ DR6.12641@news2 0.bellglobal.co m...[color=green]
>> Yes, but it does actually work on any browser I have seen aside from IE
>> (including Netscape, Firefox Win, Firefox Linux, Safari Mac).
>>
>> The page in the frame does have a domain associated with it, shouldn't
>> the cookie be available to that domain? (But not necessarily to the
>> domain of the hosting frame)[/color]
>
> Relying on an obvious security flaw for functionality is not exactly
> planning on the future :)
>
> Having a frame in a page be able to read cookies from the domain in which
> the frame is situated is a nasty thing. Someone could inject a frame into
> a site's HTML somehow, and have that frame bring up a page on a second
> server, and that'll give the second server access to the cookies of the
> first server, on that page. Nasty stuff.
>[color=green]
>>
>>
>> "Gordon Burditt" <gordonb.ag0mk@ burditt.org> wrote in message
>> news:1244t1u3ue 2pl1c@corp.supe rnews.com...[color=darkred]
>>> >I have a feature that is hosted on a different domain from the primary
>>> >one
>>>>in a frame, and need to retain values in a cookie.
>>>>
>>>>example: A web page at one.com contains a frame which has a page hosted
>>>>at
>>>>two.com
>>>>
>>>>If I view the frameset from one.com in Firefox, all works well with the
>>>>content from two.com. But if trying to view this using IE (with standard
>>>>security settings), the cookie set by two.com is not accessible.
>>>>
>>>>Have been tinkering with the domain setting in the setcookie function to
>>>>specify the domain: have tried one.com and two.com, but have not been
>>>>able
>>>>to get at the cookie value.
>>>>
>>>>How can I get this to work?
>>>
>>> Hopefully you can't on any browser. Cookies from one domain aren't
>>> supposed to be sent to another. For many, many, uses of cookies,
>>> it's a BIG security hole (you're handing credentials to log into one
>>> web site to another web site, which makes session hijacking easy).
>>>
>>> Gordon L. Burditt[/color]
>>
>>[/color]
>
>[/color]

Re: Cookie &amp; Frame from another domain?

>Yes, but it does actually work on any browser I have seen aside from IE[color=blue]
>(including Netscape, Firefox Win, Firefox Linux, Safari Mac).
>
>The page in the frame does have a domain associated with it, shouldn't the
>cookie be available to that domain? (But not necessarily to the domain of
>the hosting frame)[/color]

A cookie set by domain A should never be sent to a server not in
domain A.
[color=blue][color=green][color=darkred]
>> >I have a feature that is hosted on a different domain from the primary
>> >one
>>>in a frame, and need to retain values in a cookie.
>>>
>>>example: A web page at one.com contains a frame which has a page hosted at
>>>two.com
>>>
>>>If I view the frameset from one.com in Firefox, all works well with the
>>>content from two.com. But if trying to view this using IE (with standard
>>>security settings), the cookie set by two.com is not accessible.[/color][/color][/color]

Ok, perhaps I misunderstood you. The cookie set by two.com is not
accessible *ON WHICH SERVER*? I assumed you meant it wasn't
accessible by pages on one.com. And it shouldn't be.
[color=blue][color=green][color=darkred]
>>>Have been tinkering with the domain setting in the setcookie function to
>>>specify the domain: have tried one.com and two.com, but have not been able
>>>to get at the cookie value.[/color][/color][/color]

Get at the cookie value *ON WHICH SERVER*?
[color=blue][color=green][color=darkred]
>>>
>>>How can I get this to work?[/color]
>>
>> Hopefully you can't on any browser. Cookies from one domain aren't
>> supposed to be sent to another. For many, many, uses of cookies,
>> it's a BIG security hole (you're handing credentials to log into one
>> web site to another web site, which makes session hijacking easy).
>>
>> Gordon L. Burditt[/color][/color]

Gordon L. Burditt

Re: Cookie &amp; Frame from another domain?

Agreed - A cookie on two.com should not be accessible by one.com.

I want the cookie on two.com to be accessible by two.com inside a frame
originating on a page at one.com.

But, when the two.com page sets a cookie, and chains another page in two.com
(within the frameset defined at one.com) the cookie values are not
accessible under IE as they are for all other browsers.

Now, if I go into the IE privacy setting, click 'override cookie handling',
and ensure 'always allow third party cookies' is checked the application
will work in a frame, otherwise it will only work under IE if it is in a
separate browser window (i.e. being the 'primary' site)

I'm just not happy about having to give instructions to the masses telling
them to adjust their cookie settings under IE. And as far as I'm concerned,
site two.com using a site two.com cookie should not be an unrealistic
thing...


"Gordon Burditt" <gordonb.mm6lu@ burditt.org> wrote in message
news:124561l2co 7lm87@corp.supe rnews.com...[color=blue][color=green]
> >Yes, but it does actually work on any browser I have seen aside from IE
>>(including Netscape, Firefox Win, Firefox Linux, Safari Mac).
>>
>>The page in the frame does have a domain associated with it, shouldn't the
>>cookie be available to that domain? (But not necessarily to the domain of
>>the hosting frame)[/color]
>
> A cookie set by domain A should never be sent to a server not in
> domain A.
>[color=green][color=darkred]
>>> >I have a feature that is hosted on a different domain from the primary
>>> >one
>>>>in a frame, and need to retain values in a cookie.
>>>>
>>>>example: A web page at one.com contains a frame which has a page hosted
>>>>at
>>>>two.com
>>>>
>>>>If I view the frameset from one.com in Firefox, all works well with the
>>>>content from two.com. But if trying to view this using IE (with standard
>>>>security settings), the cookie set by two.com is not accessible.[/color][/color]
>
> Ok, perhaps I misunderstood you. The cookie set by two.com is not
> accessible *ON WHICH SERVER*? I assumed you meant it wasn't
> accessible by pages on one.com. And it shouldn't be.
>[color=green][color=darkred]
>>>>Have been tinkering with the domain setting in the setcookie function to
>>>>specify the domain: have tried one.com and two.com, but have not been
>>>>able
>>>>to get at the cookie value.[/color][/color]
>
> Get at the cookie value *ON WHICH SERVER*?
>[color=green][color=darkred]
>>>>
>>>>How can I get this to work?
>>>
>>> Hopefully you can't on any browser. Cookies from one domain aren't
>>> supposed to be sent to another. For many, many, uses of cookies,
>>> it's a BIG security hole (you're handing credentials to log into one
>>> web site to another web site, which makes session hijacking easy).
>>>
>>> Gordon L. Burditt[/color][/color]
>
> Gordon L. Burditt[/color]

Re: Cookie &amp; Frame from another domain?

>Well, I'm not so sure that it's a nasty thing if a frame from a domain has[color=blue]
>access to it's own cookies.[/color]

It was unclear from your question that this was the situation.
[color=blue]
>As far as I can see, the contents of the frame belong either to it's own
>domain, or the host frame's (which is it?).[/color]

The domain of the cookie is the domain of the URL the browser was
fetching when it received the cookie. This does not necessarily
have anything to do with frames: the cookie could have come from
an image fetched from a server unrelated to any frame (banner ad,
for example).
[color=blue]
>Setting the cookie as belonging
>to one of these two domains should allow me to save values for subsequent
>pages.[/color]

(1) What was the domain in the URL that caused the cookie to be
sent to the browser? (might or might not be a frame URL)
(2) What was the domain in the arguments to setcookie()?
(3) What was the domain of the URL that you think should be delivering
the cookie to the server for that URL, but isn't?

IE might be dropping the cookie if (1) and (2) are unrelated domains.
A cookie set by (1) should never be transmitted to (3) if the domains
are unrelated (regardless of what you set in (2)).

Gordon L. Burditt

Re: Cookie &amp; Frame from another domain?

>Agreed - A cookie on two.com should not be accessible by one.com.[color=blue]
>
>I want the cookie on two.com to be accessible by two.com inside a frame
>originating on a page at one.com.[/color]

(1) What is the URL of the hit that sets the cookie? (might be
an image, not a frame)
(2) What is the domain argument of setcookie for the cookie?
(3) What is the URL of the page expecting to see the cookie?

Please try hard to avoid mention of what frame something is in
or what chains what.

If (1) and (2) are not related domains, it should be dropped as a
third party cookie. If (2) and (3) are unrelated, the cookie should
not be sent. There's then no way to make this work if (1) and (3)
are unrelated.
[color=blue]
>I want the cookie on two.com to be accessible by two.com
>inside a frame
>originating on a page at one.com.[/color]

I take the above two lines to mean that (1) or (3) are on one.com
but you're trying really hard to say it's on two.com, because
that's where the frame is.

[color=blue]
>Now, if I go into the IE privacy setting, click 'override cookie handling',
>and ensure 'always allow third party cookies' is checked the application
>will work in a frame, otherwise it will only work under IE if it is in a
>separate browser window (i.e. being the 'primary' site)[/color]
[color=blue]
>I'm just not happy about having to give instructions to the masses telling
>them to adjust their cookie settings under IE. And as far as I'm concerned,
>site two.com using a site two.com cookie should not be an unrealistic
>thing...[/color]

You shouldn't be happy about giving such instructions. It marks you
as someone to be permanently ignored, and your site as one to be
presumed virus-ridden.

Gordon L. Burditt

Re: Cookie &amp; Frame from another domain?

A little further investigation into the privacy settings - IE's default
setting (Medium) specifies that it:
- blocks thrid-party cookies that do not have a compact privacy policy
(what's this about?)
- blocks thrid-party cookies that use personally identifiable information
without implicit consent

So I guess it's one of these things that is blocking the cookie.

Not sure why my cookie would violate any of these restrictions: My cookie
is not using any personally identifiable information. The source page has a
list of links to be chosen among. When the user clicks a link, it chains to
a page which accesses a settings file on the server, saves relevant values
to a cookie for the remainder of the session, and chains to the final target
page which requires these values to operate.




"Gordon Burditt" <gordonb.mm6lu@ burditt.org> wrote in message
news:124561l2co 7lm87@corp.supe rnews.com...[color=blue][color=green]
> >Yes, but it does actually work on any browser I have seen aside from IE
>>(including Netscape, Firefox Win, Firefox Linux, Safari Mac).
>>
>>The page in the frame does have a domain associated with it, shouldn't the
>>cookie be available to that domain? (But not necessarily to the domain of
>>the hosting frame)[/color]
>
> A cookie set by domain A should never be sent to a server not in
> domain A.
>[color=green][color=darkred]
>>> >I have a feature that is hosted on a different domain from the primary
>>> >one
>>>>in a frame, and need to retain values in a cookie.
>>>>
>>>>example: A web page at one.com contains a frame which has a page hosted
>>>>at
>>>>two.com
>>>>
>>>>If I view the frameset from one.com in Firefox, all works well with the
>>>>content from two.com. But if trying to view this using IE (with standard
>>>>security settings), the cookie set by two.com is not accessible.[/color][/color]
>
> Ok, perhaps I misunderstood you. The cookie set by two.com is not
> accessible *ON WHICH SERVER*? I assumed you meant it wasn't
> accessible by pages on one.com. And it shouldn't be.
>[color=green][color=darkred]
>>>>Have been tinkering with the domain setting in the setcookie function to
>>>>specify the domain: have tried one.com and two.com, but have not been
>>>>able
>>>>to get at the cookie value.[/color][/color]
>
> Get at the cookie value *ON WHICH SERVER*?
>[color=green][color=darkred]
>>>>
>>>>How can I get this to work?
>>>
>>> Hopefully you can't on any browser. Cookies from one domain aren't
>>> supposed to be sent to another. For many, many, uses of cookies,
>>> it's a BIG security hole (you're handing credentials to log into one
>>> web site to another web site, which makes session hijacking easy).
>>>
>>> Gordon L. Burditt[/color][/color]
>
> Gordon L. Burditt[/color]

Re: Cookie &amp; Frame from another domain?

Bruno wrote:[color=blue]
> Agreed - A cookie on two.com should not be accessible by one.com.
>
> I want the cookie on two.com to be accessible by two.com inside a frame
> originating on a page at one.com.
>
> But, when the two.com page sets a cookie, and chains another page in two.com
> (within the frameset defined at one.com) the cookie values are not
> accessible under IE as they are for all other browsers.
>
> Now, if I go into the IE privacy setting, click 'override cookie handling',
> and ensure 'always allow third party cookies' is checked the application
> will work in a frame, otherwise it will only work under IE if it is in a
> separate browser window (i.e. being the 'primary' site)
>
> I'm just not happy about having to give instructions to the masses telling
> them to adjust their cookie settings under IE. And as far as I'm concerned,
> site two.com using a site two.com cookie should not be an unrealistic
> thing...
>[/color]

Bruno,

Just read this thread

That makes sense. The main page is one.com, so two.com is a third-party for
that page. Unlike when the page is directly loaded from two.com, where there is
no other party involved.

Sounds like IE is doing exactly what it should. Other than telling the user to
change their browser settings, there isn't much you can do.

One of the reasons for this setting, btw, is to limit ad tracking. Third part
ads would set cookies on one page and be able to read them on another page (the
ads would be originated at the same domain so this works).

BTW - please don't top post. This group uses bottom posting as a standard.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: Cookie &amp; Frame from another domain?

Hi Gordon, and thanks for all the effort you are putting into this - Much
appreciated.

From your questions below (1) is the same as (2) which is the same as (3) .
(except that I have thus far left the domain specification at null when
setting the cookie - this should default it to (1) I assume).

It works fine when in it's own browser window, but not when contained in a
frame from a different site.



"Gordon Burditt" <gordonb.89ee7@ burditt.org> wrote in message
news:1245c5cb7h 4bdf9@corp.supe rnews.com...[color=blue][color=green]
> >Agreed - A cookie on two.com should not be accessible by one.com.
>>
>>I want the cookie on two.com to be accessible by two.com inside a frame
>>originating on a page at one.com.[/color]
>
> (1) What is the URL of the hit that sets the cookie? (might be
> an image, not a frame)
> (2) What is the domain argument of setcookie for the cookie?
> (3) What is the URL of the page expecting to see the cookie?
>
> Please try hard to avoid mention of what frame something is in
> or what chains what.
>
> If (1) and (2) are not related domains, it should be dropped as a
> third party cookie. If (2) and (3) are unrelated, the cookie should
> not be sent. There's then no way to make this work if (1) and (3)
> are unrelated.
>[color=green]
>>I want the cookie on two.com to be accessible by two.com
>>inside a frame
>>originating on a page at one.com.[/color]
>
> I take the above two lines to mean that (1) or (3) are on one.com
> but you're trying really hard to say it's on two.com, because
> that's where the frame is.
>
>[color=green]
>>Now, if I go into the IE privacy setting, click 'override cookie
>>handling',
>>and ensure 'always allow third party cookies' is checked the application
>>will work in a frame, otherwise it will only work under IE if it is in a
>>separate browser window (i.e. being the 'primary' site)[/color]
>[color=green]
>>I'm just not happy about having to give instructions to the masses telling
>>them to adjust their cookie settings under IE. And as far as I'm
>>concerned,
>>site two.com using a site two.com cookie should not be an unrealistic
>>thing...[/color]
>
> You shouldn't be happy about giving such instructions. It marks you
> as someone to be permanently ignored, and your site as one to be
> presumed virus-ridden.
>
> Gordon L. Burditt[/color]

Re: Cookie &amp; Frame from another domain?


"Jerry Stuckle" <jstucklex@attg lobal.net> wrote in message
news:eYSdnRTXS9 B6Kd_ZnZ2dnUVZ_ s-dnZ2d@comcast.c om...[color=blue]
> Bruno wrote:[color=green]
>> Agreed - A cookie on two.com should not be accessible by one.com.
>>
>> I want the cookie on two.com to be accessible by two.com inside a frame
>> originating on a page at one.com.
>>
>> But, when the two.com page sets a cookie, and chains another page in
>> two.com (within the frameset defined at one.com) the cookie values are
>> not accessible under IE as they are for all other browsers.
>>
>> Now, if I go into the IE privacy setting, click 'override cookie
>> handling', and ensure 'always allow third party cookies' is checked the
>> application will work in a frame, otherwise it will only work under IE if
>> it is in a separate browser window (i.e. being the 'primary' site)
>>
>> I'm just not happy about having to give instructions to the masses
>> telling them to adjust their cookie settings under IE. And as far as I'm
>> concerned, site two.com using a site two.com cookie should not be an
>> unrealistic thing...
>>[/color]
>
> Bruno,
>
> Just read this thread
>
> That makes sense. The main page is one.com, so two.com is a third-party
> for that page. Unlike when the page is directly loaded from two.com,
> where there is no other party involved.
>
> Sounds like IE is doing exactly what it should. Other than telling the
> user to change their browser settings, there isn't much you can do.
>
> One of the reasons for this setting, btw, is to limit ad tracking. Third
> part ads would set cookies on one page and be able to read them on another
> page (the ads would be originated at the same domain so this works).
>
> BTW - please don't top post. This group uses bottom posting as a
> standard.
>
> --
> =============== ===
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstucklex@attgl obal.net
> =============== ===[/color]

So basically you are saying that IE by default kills all cookies not
relating to the primary level domain.

It seems that Microsoft has a different interpretation of this than the
Mozilla folks: With Mozilla (Firefox) if restricting Cookies to be 'for the
originating site only', which is not the default, the application still
works, as I assume that they will allow a site that created its cookie to
retrieve its cookie, even if in a frame (since it is the originating site).

If IE's approach is as you say, it may stop ad counters, but also cripples
having nested content not originating from the primary site - That's a
shame.

If the domain-in-a-frame (two.com in the example) were to specify the main
site (one.com) as being the cookie's owner at creation time, would this work
to get around the problem? (I'm really just interested getting it working in
the frame).

Aside from getting users to change their settings, the only other way is to
detect IE and spawn it into another browser instance, but this is an ugly
solution...

Re: Cookie &amp; Frame from another domain?

>A little further investigation into the privacy settings - IE's default[color=blue]
>setting (Medium) specifies that it:
>- blocks thrid-party cookies that do not have a compact privacy policy
>(what's this about?)[/color]

Your web site can publish a privacy policy. Google "compact privacy
policy" and select "How to Deploy P3P Policies on Your Web Site"
(on msdn.microsoft. com). Typically it's in the URL /w3c/p3p.xml.
[color=blue]
>- blocks thrid-party cookies that use personally identifiable information
>without implicit consent[/color]

If you don't publish a policy to not use personally identifiable
information, it's presumed that you do, and sell it to Satan, and
use it to rape and pillage the user.
[color=blue]
>So I guess it's one of these things that is blocking the cookie.
>
>Not sure why my cookie would violate any of these restrictions: My cookie[/color]

Your *LACK OF A POLICY* violates those restrictions. IE can't read your
mind or figure out what you encrypted into that cookie (if anything).
[color=blue]
>is not using any personally identifiable information. The source page has a
>list of links to be chosen among. When the user clicks a link, it chains to
>a page which accesses a settings file on the server, saves relevant values
>to a cookie for the remainder of the session, and chains to the final target
>page which requires these values to operate.[/color]

PHP doesn't have a function called chain(). This probably doesn't
refer to a method of attaching your partner to the bed. Are you
using it in the context of "when the user clicks the submit button
or a link, the browser goes to this other page"? Or something that
doesn't require user action?

Gordon L. Burditt

Re: Cookie &amp; Frame from another domain?

Bruno wrote:[color=blue]
> "Jerry Stuckle" <jstucklex@attg lobal.net> wrote in message
> news:eYSdnRTXS9 B6Kd_ZnZ2dnUVZ_ s-dnZ2d@comcast.c om...
>[color=green]
>>Bruno wrote:
>>[color=darkred]
>>>Agreed - A cookie on two.com should not be accessible by one.com.
>>>
>>>I want the cookie on two.com to be accessible by two.com inside a frame
>>>originatin g on a page at one.com.
>>>
>>>But, when the two.com page sets a cookie, and chains another page in
>>>two.com (within the frameset defined at one.com) the cookie values are
>>>not accessible under IE as they are for all other browsers.
>>>
>>>Now, if I go into the IE privacy setting, click 'override cookie
>>>handling', and ensure 'always allow third party cookies' is checked the
>>>applicatio n will work in a frame, otherwise it will only work under IE if
>>>it is in a separate browser window (i.e. being the 'primary' site)
>>>
>>>I'm just not happy about having to give instructions to the masses
>>>telling them to adjust their cookie settings under IE. And as far as I'm
>>>concerned, site two.com using a site two.com cookie should not be an
>>>unrealisti c thing...
>>>[/color]
>>
>>Bruno,
>>
>>Just read this thread
>>
>>That makes sense. The main page is one.com, so two.com is a third-party
>>for that page. Unlike when the page is directly loaded from two.com,
>>where there is no other party involved.
>>
>>Sounds like IE is doing exactly what it should. Other than telling the
>>user to change their browser settings, there isn't much you can do.
>>
>>One of the reasons for this setting, btw, is to limit ad tracking. Third
>>part ads would set cookies on one page and be able to read them on another
>>page (the ads would be originated at the same domain so this works).
>>
>>BTW - please don't top post. This group uses bottom posting as a
>>standard.
>>
>>--
>>============= =====
>>Remove the "x" from my email address
>>Jerry Stuckle
>>JDS Computer Training Corp.
>>jstucklex@att global.net
>>============= =====[/color]
>
>
> So basically you are saying that IE by default kills all cookies not
> relating to the primary level domain.
>
> It seems that Microsoft has a different interpretation of this than the
> Mozilla folks: With Mozilla (Firefox) if restricting Cookies to be 'for the
> originating site only', which is not the default, the application still
> works, as I assume that they will allow a site that created its cookie to
> retrieve its cookie, even if in a frame (since it is the originating site).
>
> If IE's approach is as you say, it may stop ad counters, but also cripples
> having nested content not originating from the primary site - That's a
> shame.
>
> If the domain-in-a-frame (two.com in the example) were to specify the main
> site (one.com) as being the cookie's owner at creation time, would this work
> to get around the problem? (I'm really just interested getting it working in
> the frame).
>
> Aside from getting users to change their settings, the only other way is to
> detect IE and spawn it into another browser instance, but this is an ugly
> solution...
>
>[/color]
Basically, yes, IE kills those cookies. You can thank the sites which abused
cookies and used them to track the sites people visited. Microsoft was under
fire to increase security to stop the abuse, and they did.

I believe you can do the same by tightening Firefox's security, but I'm not
positive. It's just a matter of what the default is.

The whole purpose of stopping this is to prevent third-party sites from
storing/retrieving cookies. I doubt there is any way around it. If there were,
that would be another security exposure these abusive sites would use.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===