1

I am trying to understand the technical implications for setting a compact p3p header in my Facebook application. Someone has said to me that setting the p3p header in my site (iframe) will allow Facebook (parent) to read my cookies.

I do not believe this is the case and from my understanding the p3p is (just) a legal binding between me (as a site owner) and the user (internet explorer).

If someone can point me to an authoritative information that explains this (in human readble words) I'd be very much obliged. I have read through all the w3c documents but could not find what I was looking for.

Nir Levy
  • 4,613
  • 2
  • 34
  • 47

2 Answers2

3

No. The P3P header is used so the child frame can access the parent frame's cookies. The P3P header we use is:

P3P: CP="CAO PSA OUR"

I've only noticed P3P policies being checked in IE and Safari browsers - it's not a universally popular standard (to say the least). It's a pain to deal with, but once you know about it, you know about it. I'm not sure how legally binding they are, but you can use the header above to make sure your application works as expected and then modify the actual content to describe what private information you're requesting. We use this tool to generate P3P policies. Exporting the "simple" policy will give you what you need for the header.

Here's a link to Facebook documentation regarding P3P, scroll down to the Cookies in iframes/P3P Header section. Here's a forum post on the subject as well.

Jimmy Sawczuk
  • 13,488
  • 7
  • 46
  • 60
2

P3P allows you to set 3rd party cookies in IE/Firefox.

It doesn't have anything to do with allowing parent iframe to access child iframe cookies.

shashuec
  • 684
  • 8
  • 20
  • that was my understanding, but I am looking for an authoritative information I can show the Information Security people to prove that this is indeed the case. – Nir Levy Apr 05 '11 at 06:33