我有两个网站,假设它们是 example.com 和 anotherexample.net。
在 anotherexample.net/page.html 上,我有一个 IFRAME SRC="http://example.com/someform.asp"。该 IFRAME 显示一个表单供用户填写并提交到 http://example.com/process.asp。当我在自己的浏览器窗口中打开表单(“someform.asp”)时,一切正常。
但是,当我在 IE 6 或 IE 7 中将 someform.asp 加载为 IFRAME 时,example.com 的 cookie 不会保存。在 Firefox 中,不会出现此问题。
出于测试目的,我在 http://newmoon.wz.cz/test 上创建了类似的设置/page.php 。
example.com 使用基于 cookie 的会话(对此我无能为力),因此如果没有 cookie,process.asp 将不会执行。 如何强制 IE 保存这些 cookie?
嗅探 HTTP 流量的结果:在 GET /someform.asp 响应中,有一个有效的每会话 Set-Cookie 标头(例如 Set-Cookie : ASPKSJIUIUGF=JKHJUHVGFYTTYFY),但是在 POST /process.asp 请求中,根本没有 Cookie 标头。
Edit3:一些AJAX+服务器端脚本显然能够回避这个问题,但这看起来很像一个错误,而且它打开了一组全新的 安全漏洞。我不希望我的应用程序仅仅因为简单而使用错误+安全漏洞的组合。
编辑:P3P 政策是根本原因,完整解释如下。
I have two websites, let's say they're example.com and anotherexample.net.
On anotherexample.net/page.html, I have an IFRAME SRC="http://example.com/someform.asp". That IFRAME displays a form for the user to fill out and submit to http://example.com/process.asp. When I open the form ("someform.asp") in its own browser window, all works well.
However, when I load someform.asp as an IFRAME in IE 6 or IE 7, the cookies for example.com are not saved. In Firefox this problem doesn't appear.
For testing purposes, I've created a similar setup on http://newmoon.wz.cz/test/page.php .
example.com uses cookie-based sessions (and there's nothing I can do about that), so without cookies, process.asp won't execute. How do I force IE to save those cookies?
Results of sniffing the HTTP traffic: on GET /someform.asp response, there's a valid per-session Set-Cookie header (e.g. Set-Cookie: ASPKSJIUIUGF=JKHJUHVGFYTTYFY), but on POST /process.asp request, there is no Cookie header at all.
Edit3: some AJAX+serverside scripting is apparently capable to sidestep the problem, but that looks very much like a bug, plus it opens a whole new set of security holes. I don't want my applications to use a combination of bug+security hole just because it's easy.
Edit: the P3P policy was the root cause, full explanation below.
发布评论
评论(22)
我让它工作了,但解决方案有点复杂,所以请耐心等待。
发生的情况
事实上,Internet Explorer 对 IFRAME 页面的信任级别较低(IE 将此称为“第三方”内容)。如果 IFRAME 内的页面没有隐私政策,则其 cookie 会被阻止(由状态栏中的眼睛图标表示,当您单击它时,它会显示被阻止的 URL 列表)。
(来源:piskvor.org)
在这种情况下,当cookie被阻止,会话标识符未发送,并且目标脚本抛出“未找到会话”错误。
(我尝试将会话标识符设置到表单中并从 POST 变量加载它。这会起作用,但出于政治原因我不能这样做。)
可以使页面IFRAME 内部更受信任:如果内部页面发送带有 IE 可接受的隐私策略的 P3P 标头,则 cookie 将被接受。
如何解决该问题
创建 p3p 策略
W3C 教程是一个很好的起点。我已经完成了它,下载了 IBM Privacy Policy Editor 并在那里创建了一个表示的隐私政策,并为其指定一个名称以供引用(此处为
policy1)。注意:此时,您实际上需要查明您的网站是否有隐私政策,如果没有,请创建它 - 它是否收集用户数据、什么类型的数据、它如何处理这些数据、谁有权访问它等等。您需要找到此信息并思考。 仅仅将几个标签放在一起是不够的。这一步不能纯粹用软件来完成,并且可能具有高度政治性(例如“我们应该出售我们的点击统计数据吗?”)。
(例如“该网站由 ACME Ltd. 运营,其运营使用匿名的每会话标识符,仅在明确许可的情况下收集用户数据,并且仅用于以下目的,仅在必要时存储数据,仅我们公司可以访问它,等等”)。
(使用此工具进行编辑时,可以查看策略中的错误/遗漏。“HTML 策略”选项卡也非常有用:在底部,它有一个“策略评估” - 快速检查策略是否会被阻止根据 IE 的默认设置)
编辑器导出到 .p3p 文件,该文件是上述策略的 XML 表示形式。此外,它还可以导出该策略的“精简版本”。
政策链接
然后需要一个政策参考文件 (
http://example.com/w3c/p3p.xml)(网站使用的隐私政策索引):< INCLUDE>显示将使用此策略的所有 URI(在我的例子中是整个网站)。我从编辑器导出的策略文件已上传到http://example.com/w3c/example-com.p3p发送带有响应的紧凑标头,
我已在示例中设置了网络服务器。 com 发送带有响应的紧凑标头,如下所示:
policyref是策略参考文件(依次引用隐私策略)的相对 URI,CP是紧凑标头政策代表性。 请注意,示例中的 P3P 标头组合可能不适用于您的特定网站;您的 P3P 标头必须如实代表您自己的隐私政策!利润!
在此配置中,邪眼不会出现,cookie 甚至会保存在 IFRAME 中,并且应用程序可以正常运行。
编辑:不应该做什么,除非你想免受诉讼
有几个人建议“在你的 P3P 标头中打上一些标签,直到邪恶之眼放弃”。
这些标签不仅仅是一堆位,它们具有现实世界的含义,并且它们的使用赋予您现实世界的责任!
例如,假装你从不收集用户数据可能会让浏览器满意,但如果你真的收集用户数据,P3P 就与现实相冲突了。简单明了,您是故意对用户撒谎,这在某些国家/地区可能属于犯罪行为。就像“进监狱,不要收取 200 美元”。
一些示例(请参阅 p3pwriter 了解完整的标签集):
STP但没有保留政策,您可能完全不是。)我不是律师,但我不愿意上法庭看看 P3P 标头是否真正具有法律约束力。你可以向你的用户承诺任何事情,但实际上却不愿意兑现你的承诺。
I got it to work, but the solution is a bit complex, so bear with me.
What's happening
As it is, Internet Explorer gives lower level of trust to IFRAME pages (IE calls this "third-party" content). If the page inside the IFRAME doesn't have a Privacy Policy, its cookies are blocked (which is indicated by the eye icon in status bar, when you click on it, it shows you a list of blocked URLs).
(source: piskvor.org)
In this case, when cookies are blocked, session identifier is not sent, and the target script throws a 'session not found' error.
(I've tried setting the session identifier into the form and loading it from POST variables. This would have worked, but for political reasons I couldn't do that.)
It is possible to make the page inside the IFRAME more trusted: if the inner page sends a P3P header with a privacy policy that is acceptable to IE, the cookies will be accepted.
How to solve it
Create a p3p policy
A good starting point is the W3C tutorial. I've gone through it, downloaded the IBM Privacy Policy Editor and there I created a representation of the privacy policy and gave it a name to reference it by (here it was
policy1).NOTE: at this point, you actually need to find out if your site has a privacy policy, and if not, create it - whether it collects user data, what kind of data, what it does with it, who has access to it, etc. You need to find this information and think about it. Just slapping together a few tags will not cut it. This step cannot be done purely in software, and may be highly political (e.g. "should we sell our click statistics?").
(e.g. "the site is operated by ACME Ltd., it uses anonymous per-session identifiers for its operation, collects user data only if explicitly permitted and only for the following purposes, the data is stored only as long as necessary, only our company has access to it, etc. etc.").
(When editing with this tool, it's possible to view errors/omissions in the policy. Also very useful is the tab "HTML Policy": at the bottom, it has a "Policy Evaluation" - a quick check if the policy will be blocked by IE's default settings)
The Editor exports to a .p3p file, which is an XML representation of the above policy. Also, it can export a "compact version" of this policy.
Link to the policy
Then a Policy Reference file (
http://example.com/w3c/p3p.xml) was needed (an index of privacy policies the site uses):The
<INCLUDE>shows all URIs that will use this policy (in my case, the whole site). The policy file I've exported from the Editor was uploaded tohttp://example.com/w3c/example-com.p3pSend the compact header with responses
I've set the webserver at example.com to send the compact header with responses, like this:
policyrefis a relative URI to the Policy Reference file (which in turn references the privacy policies),CPis the compact policy representation. Note that the combination of P3P headers in the example may not be applicable on your specific website; your P3P headers MUST truthfully represent your own privacy policy!Profit!
In this configuration, the Evil Eye does not appear, the cookies are saved even in the IFRAME, and the application works.
Edit: What NOT to do, unless you like defending from lawsuits
Several people have suggested "just slap some tags into your P3P header, until the Evil Eye gives up".
The tags are not only a bunch of bits, they have real world meanings, and their use gives you real world responsibilities!
For example, pretending that you never collect user data might make the browser happy, but if you actually collect user data, the P3P is conflicting with reality. Plain and simple, you are purposefully lying to your users, and that might be criminal behavior in some countries. As in, "go to jail, do not collect $200".
A few examples (see p3pwriter for the full set of tags):
STPbut don't have a retention policy, you may be committing fraud. How cool is that? Not at all.)I'm not a lawyer, but I'm not willing to go to court to see if the P3P header is really legally binding or if you can promise your users anything without actually willing to honor your promises.
我花了一天的大部分时间研究 P3P 的事情,我觉得有必要分享我的发现。
我注意到 P3P 概念非常过时,并且似乎只有 Internet Explorer (IE) 才真正使用/强制执行。
最简单的解释是:如果您使用cookie,IE 希望您定义一个P3P 标头。
这是一个好主意,幸运的是大多数时候不提供此标头不会导致任何问题(请阅读浏览器警告)。除非您的网站/网络应用程序使用 (i)Frame 加载到其他网站中。这就是 IE 成为一个巨大痛苦的地方。除非设置了 P3P 标头,否则它不允许您设置 cookie。
知道这一点后,我想找到以下两个问题的答案:
我的发现是:
这个概念诞生于 2002 年,令我困惑的是,这个过时且未在法律上实施的概念仍然强加给 IE 中的开发人员。
如果此标头没有任何法律后果,则应忽略此标头(或者在控制台中生成警告或通知)。不强制执行!我现在被迫在代码中添加一行(并向客户端发送标头),该行绝对不执行任何操作。
简而言之 - 为了让 IE 满意 - 将以下行添加到您的 PHP 代码中(其他语言应该看起来类似)
问题解决了,IE 对这个土豆感到满意。
I've spend a large part of my day looking into this P3P thing and I feel the need to share what I've found out.
I've noticed that the P3P concept is very outdated and seems only to be really used/enforced by Internet Explorer (IE).
The simplest explanation is: IE wants you to define a P3P header if you are using cookies.
This is a nice idea, and luckily most of the time not providing this header won't cause any issues (read browser warnings). Unless your website/web application is loaded into an other website using an (i)Frame. This is where IE becomes a massive pain in the ***. It will not allow you to set a cookie unless the P3P header is set.
Knowing this I wanted to find an answer to the following two questions:
My findings are:
The concept was born in 2002 and it baffles me that this outdated and legally unimplemented concept is still forced upon developers within IE.
If this header doesn't have have any legal ramifications this header should be ignored (or alternatively, generate a warning or notification in the console). Not enforced! I'm now forced to put a line in my code (and send a header to the client) that does absolutely nothing.
In short - to keep IE happy - add the following line to your PHP code (Other languages should look similar)
Problem solved, and IE is happy with this potato.
我只需将这个小标头添加到 IFrame(PHP 解决方案)中的网站即可消除邪恶之眼:
记住按 ctrl+F5 重新加载您的网站,否则资源管理器可能仍会显示邪恶之眼,尽管事实上它运行良好。这可能是我在使用它时遇到很多问题的主要原因。
根本不需要政策文件。
编辑:
我发现了一篇不错的博客文章,它解释了 IFrame 中 cookie 的问题。它还在 C# 代码中提供了快速修复:
框架、ASPX 页面和拒绝的 Cookie
I was able to make the evil eye go away by simply adding this small header to the site in the IFrame (PHP solution):
Remember to press ctrl+F5 to reload your site or Explorer may still show the evil eye, despite the fact that it's working fine. This is probably the main reason why I had so many problems getting it to work.
No policy file was neccesary at all.
Edit:
I found a nice blog entry that explains the problem with cookies in IFrames. It also has a quick fix in C# code:
Frames, ASPX Pages and Rejected Cookies
这被埋在其他答案的评论中,但我几乎错过了它,所以看起来它应该有自己的答案。
回顾一下:为了让 IE 接受第 3 方 cookie,您需要使用名为 p3p 的 http 标头来提供文件,其格式为:
但是,p3p 作为标准此时几乎已经死亡,您可以轻松地让 IE 工作而无需投入时间和法律资源来制定真正的 P3P 政策。这是因为,如果您的紧凑 p3p 策略标头无效,IE 实际上会将其视为良好策略并接受第 3 方 cookie。因此,您可以使用像这样的 p3p 标头
您可以选择包含一个指向页面的链接,该链接解释了为什么您没有 p3p 政策,就像 Google 和 Facebook 所做的那样(他们在这里指出:https://support.google.com/accounts/answer/151657 和此处:https://www.facebook.com/help/327993273962160/)。
最后,需要注意的是,从第 3 方站点提供的所有文件都需要具有 p3p 标头,而不仅仅是设置 cookie 的标头,因此您可能无法仅在 PHP、asp.net 等中执行此操作代码。您最好在 Web 服务器级别(即在 IIS 或 Apache 中)进行设置。
This is buried in the comments of other answers, but I almost missed it, so it seems like it deserves its own answer.
To review: in order for IE to accept 3rd party cookies, you need serve your files with an http header called p3p in the format:
BUT, p3p is pretty much dead as a standard at this point and you can easily get IE to work without investing the time and legal resources in creating a real p3p policy. This is because if your compact p3p policy header is invalid, IE actually treats it as a good policy and accepts 3rd party cookies. So you can use a p3p header such as this
You can optionally include a link to a page that explains why you don't have a p3p policy, as Google and Facebook do (they point here: https://support.google.com/accounts/answer/151657 and here: https://www.facebook.com/help/327993273962160/).
Finally, it's important to note that all files served from the 3rd party site need to have the p3p header, not just the one that sets the cookie, so you may not be able to just do this in your PHP, asp.net, etc code. You are probably better off setting in up on the web server level (i.e. in IIS or Apache).
我也遇到了这个问题,我想我应该发布我在 MVC2 项目中使用的代码。在页面生命周期中添加标头时要小心,否则您将收到 HttpException“服务器无法在发送 HTTP 标头后附加标头”。我在 OnActionExecuting 方法(在执行操作之前调用)上使用了自定义 ActionFilterAttribute。
使用示例:
I had this issue as well, thought I'd post the code that I used in my MVC2 project. Be careful when in the page life cycle you add in the header or you'll get an HttpException "Server cannot append header after HTTP headers have been sent." I used a custom ActionFilterAttribute on the OnActionExecuting method (called before the action is executed).
Example use:
这是关于这个问题的一个很好的话题,但是我发现一个重要的细节(至少在我的情况下是必不可少的)没有发布在这里或其他任何地方(如果我错过了,我很抱歉)是 P3P 线路必须是传入从第 3 方服务器发送的每个文件的标头,甚至是未设置或使用 cookie 的文件,例如 Javascript 文件或图像。否则 cookie 将被阻止。我在此处的帖子中有更多相关信息:http://posheika.net/?p=110
This is a great topic on the issue, however I found that one important detail (which was essential at least in my case) that was not posted here or anywhere else (I apologize if I just missed it) was that the P3P line must be passed in header of EVERY file sent from the 3rd party server, even files not setting or using the cookies such as Javascript files or images. Otherwise the cookies will be blocked. I have more on this in a post here: http://posheika.net/?p=110
任何在 Node.js 中遇到此问题的人。
然后添加这个p3p模块,并在中间件中启用这个模块。
我使用的是express,所以我将其添加到app.js中
首先需要app.js中的模块
,然后将其用作中间件
它将在res对象中添加p3p标头。无需做任何额外的事情。
您将在以下位置获得更多信息:
https://github.com/troygoode/node-p3p
Anyone having this problem in node.js.
Then add this p3p module, and enable this module at middleware.
I am using express so I add it in app.js
First require that module in app.js
then use it as middleware
It will add p3p headers at res object. No need to do any extra things.
You will get more info at:
https://github.com/troygoode/node-p3p
如果有人正在寻找 Apache 线路;我们用的是这个。
只要有 P3P 标头,我们将 CP 值设置为多少并不重要。
If anybody is looking for Apache line; we used this one.
It really didn't matter what we set CP value to, as long as there is the P3P header.
一种可能的做法是将域添加到工具中允许的站点 ->互联网选项 ->隐私->站点:somedomain.com ->允许->好的。
One possible thing to do is to add the domain to allowed sites in tools -> internet options -> privacy -> sites: somedomain.com -> allow -> OK.
这篇文章提供了一些关于 P3P 的评论以及减少 IE7 和 IE8 问题的快捷解决方案。
This post provides some commentary on P3P and a short-cut solution that reduces the problems with IE7 and IE8.
我在这里没有看到提到的一种解决方案是使用会话存储而不是cookie。
当然,这可能不适合每个人的要求,但对于某些情况来说这是一个简单的解决方案。
One solution that I haven't seen mentioned here, is using session storage instead of cookies.
Of course this might not fit everyone's requirements, but for some cases it's an easy fix.
我正在调查有关通过 Azure 访问控制服务登录的问题,但无法连接任何内容的头和尾。
然后,偶然发现了这篇文章 https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/
在简而言之,IE 不会跨区域共享 cookie(例如互联网与受信任的站点)。
因此,如果您的 IFrame 目标和 html 页面位于不同区域,则 P3P 将无济于事。
I was investigating this problem with regard to login-off via Azure Access Control Services, and wasn't able to connect head and tails of anything.
Then, stumbled over this post https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/
In short, IE doesn't share cookies across zones (eg. Internet vs. Trusted sites).
So, if your IFrame target and html page are in different zone's P3P won't help with anything.
遇到类似的问题,今天早上也去研究如何生成 P3P 策略,这是我关于如何生成自己的策略并在网站中使用的帖子:)
http://everydayopenslikeaflower.blogspot。 com/2009/08/how-to-create-p3p-policy-and-implement.html
Got similar problem, also went to investigate how to generate the P3P policy this morning, here is my post about how to generate your own policy and use in the web site :)
http://everydayopenslikeaflower.blogspot.com/2009/08/how-to-create-p3p-policy-and-implement.html
我之前已经实施了完整的 P3P 策略,但不想为我正在开发的新项目再次经历这种麻烦。我发现此链接对于解决问题的简单方法很有用,只需指定“CAO PSA OUR”的最小紧凑 P3P 策略:
http://blog.sweetxml.org/2007/10/minimal-p3p-compact-policy-suggestion.html
该文章引用了 Microsoft 知识库文章的链接(现已损坏)。这项政策对我来说起了作用!
I've implemented a full P3P policy before but didn't want go through the hassle again for a new project I was working on. I found this link useful for a simple solution to the problem, only having to specify a minimal compact P3P policy of "CAO PSA OUR":
http://blog.sweetxml.org/2007/10/minimal-p3p-compact-policy-suggestion.html
The article quotes a (now broken) link to a Microsoft kb article. The policy did the trick for me!
您还可以组合 p3p.xml 和 policy.xml 文件,如下所示:
/home/ubuntu/sites/shared/w3c/p3p.xml
我发现添加标头的最简单方法是通过 Apache 代理并使用 mod_headers,如下所示:
因此,我们将除 /w3c/p3p.xml 之外的所有请求代理到我们的应用程序服务器。
您可以使用 W3C 验证器 进行全部测试
You can also combine the p3p.xml and policy.xml files as such:
/home/ubuntu/sites/shared/w3c/p3p.xml
I found the easiest way to add a header is proxy through Apache and use mod_headers, as such:
So we proxy all requests except those to /w3c/p3p.xml to our application server.
You can test it all with the W3C validator
如果您拥有需要嵌入的域,那么您可以在调用包含 IFrame 的页面之前重定向到该域,这将创建 cookie 并重定向回来,
如此处所述:http://www.mendoweb。 be/blog/internet-explorer-safari-third-party-cookie-problem/
这适用于 Internet Explorer,但也适用于 Safari(因为 Safari 也会阻止第三方 cookie)。
If you own the domain that needs to be embedded, then you could, before calling the page that includes the IFrame, redirect to that domain, which will create the cookie and redirect back,
as explained here: http://www.mendoweb.be/blog/internet-explorer-safari-third-party-cookie-problem/
This will work for Internet Explorer but for Safari as well (because Safari also blocks the third-party cookies).
我知道现在对这个主题做出贡献有点晚了,但我浪费了很多时间,也许这个答案会对某人有所帮助。
我试图在我的网站上调用第三方 cookie,当然它在 Internet Explorer 10 上不起作用,即使安全级别较低......不要问我为什么。在 iframe 中,我使用 ajax 调用 read_cookie.php (echo $_COOKIE)。
我不知道为什么我无法设置 P3P 策略来解决问题......
在我的搜索过程中,我看到了一些关于让 cookie 在 JSON 中工作的信息。我什至没有尝试,因为我认为如果 cookie 不会通过 iframe,它就不会再通过数组传递......
你猜怎么着,它确实如此!因此,如果您对 cookie 进行 json_encode,然后在 ajax 请求后进行解码,您就会得到它!
也许我错过了一些事情,如果我错过了,我很抱歉,但我从来没有见过如此愚蠢的事情。为了安全起见,阻止第三方 cookie,为什么不呢,但如果经过编码就让它通过呢?现在保安在哪里?
我希望这篇文章能对某人有所帮助,如果我错过了一些东西并且我很愚蠢,请教育我!
I know it's a bit late to put my contribution on this subject but I lost so many hours that maybe this answer will help somebody.
I was trying to call a third party cookie on my site and of course it was not working on Internet Explorer 10, even at a low security level... don't ask me why. In the iframe I was calling a read_cookie.php (echo $_COOKIE) with ajax.
And I don't know why I was incapable of setting the P3P policy to solve the problem...
During my search I saw something about getting the cookie in JSON working. I don't even try because I thought that if the cookie won't pass through an iframe, it will not pass any more through an array...
Guess what, it does! So if you json_encode your cookie then decode after your ajax request, you'll get it!
Maybe there is something I missed and if I did, all my apologies, but i never saw something so stupid. Block third party cookies for security, why not, but let it pass if encoded? Where is the security now?
I hope this post will help somebody and again, if I missed something and I'm dumb, please educate me!
这最终对我有用(经过一番努力并使用 IBM 策略生成器生成了一些策略)。您可以在此处下载策略生成器:http://www .softpedia.com/get/Security/Security-Related/P3P-Policy-Editor.shtml
我无法再从 IBM 官方网站下载生成器。
我在 Web 应用程序
This finally worked for me (after a lot of hastle and generating some policies using IBMs policy generator). You can downlod the policy generator here: http://www.softpedia.com/get/Security/Security-Related/P3P-Policy-Editor.shtml
I was not able to download the generator from the official IBM website any more.
I created these files in the root folder of my Web-App
在Rails中我使用这个gem: https://github.com/merchii/rack-iframe
实际上,它设置了一组没有参考文件的缩写: https://github.com/merchii/rack-iframe/blob/master/lib/rack/iframe.rb#L8
当你完全不关心其含义时,安装起来很容易p3p 的东西。
In Rails I am using this gem : https://github.com/merchii/rack-iframe
Bawically it sets a set of abbreviations without a reference file: https://github.com/merchii/rack-iframe/blob/master/lib/rack/iframe.rb#L8
It is easy to install when you dont care at all about the meaning of the p3p stuff.
对于任何试图让 P3P 紧凑策略与静态内容一起工作的人:
仅如果您能够发送带有静态内容的自定义服务器端响应标头,则这是可能的。
有关更详细的说明,请参阅我的回答:在 HTML 中设置 P3P 代码
For anyone trying to get the P3P Compact Policy working with static content:
It is only possible if you are able to send custom server-side response headers with the static content.
For a more detailed explanation see my answer here: Set P3P code in HTML
在Rails 3.2中我使用:
我从以下位置得到这个: http://dot-net-web-developer-bristol.blogspot.com/2012/04/setting-p3p-header-in-rails-session.html
In Rails 3.2 I am using:
I got this from: http://dot-net-web-developer-bristol.blogspot.com/2012/04/setting-p3p-header-in-rails-session.html
更好的解决方案是在 iframe 内对页面进行 Ajax 调用,以获取/设置 cookie...
A better solution would be to make an Ajax call inside the iframe to the page that would get/set cookies...