IE blocks Cookies in iFrame - Solution for JSF/Seam (CodingClues)

Jun
16

IE blocks Cookies in iFrame - Solution for JSF/Seam

Well, currently I’m working on my project filesio, a platform for distributing large files via web interface instead of FTP.

One of the core abilities of my application is to provide widgets for third-party sites, allowing my users to include download-links to their files in their own web pages. These widgets are simple iframes that load content from my domain.

However, when implementing my app I struggled with the problem that Microsoft Internet Explorer per default blocks cookies set from within an iframe (of course, all other browsers don’t do this).

Lucklily, I found a really ..hm…interesting solution for this problem:

You can make IE trust your page by setting a special HTTP header. Well, the funny thing is: everyone can to this without any autorization, so what did the guys of Microsoft think when elaborating this “security feature”??

Nevertheless, you can read about the rescuing p3p HTTP header here and there.

I adopted the solution to JSF with Seam and implemented a custom filter that simply adds the mentioned header to every HTTPServletResponse. The code is as follows:

public class ResponseFilter extends AbstractFilter {
@Override
public void doFilter(final ServletRequest request, final ServletResponse response,
final FilterChain chain) throws IOException, ServletException {
HttpServletResponse resp = (HttpServletResponse) response;
//add the mysterious header
resp.addHeader(“p3p”,“CP=\”IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\”“);
chain.doFilter(request, resp);
}
}

Finally, you can activate this filter either by using the @Filter annotation of Seam or in your web.xml. I preferred the second way, because this allows to apply the filter only on these views that actually need to return the header. In my case, this was my widget called widget.seam.