Posted by Bruno on 04/17/06 01:08

"Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
news:eYSdnRTXS9B6Kd_ZnZ2dnUVZ_s-dnZ2d@comcast.com...
> Bruno wrote:
>> Agreed - A cookie on two.com should not be accessible by one.com.
>>
>> I want the cookie on two.com to be accessible by two.com inside a frame
>> originating on a page at one.com.
>>
>> But, when the two.com page sets a cookie, and chains another page in
>> two.com (within the frameset defined at one.com) the cookie values are
>> not accessible under IE as they are for all other browsers.
>>
>> Now, if I go into the IE privacy setting, click 'override cookie
>> handling', and ensure 'always allow third party cookies' is checked the
>> application will work in a frame, otherwise it will only work under IE if
>> it is in a separate browser window (i.e. being the 'primary' site)
>>
>> I'm just not happy about having to give instructions to the masses
>> telling them to adjust their cookie settings under IE. And as far as I'm
>> concerned, site two.com using a site two.com cookie should not be an
>> unrealistic thing...
>>
>
> Bruno,
>
> Just read this thread
>
> That makes sense. The main page is one.com, so two.com is a third-party
> for that page. Unlike when the page is directly loaded from two.com,
> where there is no other party involved.
>
> Sounds like IE is doing exactly what it should. Other than telling the
> user to change their browser settings, there isn't much you can do.
>
> One of the reasons for this setting, btw, is to limit ad tracking. Third
> part ads would set cookies on one page and be able to read them on another
> page (the ads would be originated at the same domain so this works).
>
> BTW - please don't top post. This group uses bottom posting as a
> standard.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstucklex@attglobal.net
> ==================

So basically you are saying that IE by default kills all cookies not
relating to the primary level domain.

It seems that Microsoft has a different interpretation of this than the
Mozilla folks: With Mozilla (Firefox) if restricting Cookies to be 'for the
originating site only', which is not the default, the application still
works, as I assume that they will allow a site that created its cookie to
retrieve its cookie, even if in a frame (since it is the originating site).

If IE's approach is as you say, it may stop ad counters, but also cripples
having nested content not originating from the primary site - That's a
shame.

If the domain-in-a-frame (two.com in the example) were to specify the main
site (one.com) as being the cookie's owner at creation time, would this work
to get around the problem? (I'm really just interested getting it working in
the frame).

Aside from getting users to change their settings, the only other way is to
detect IE and spawn it into another browser instance, but this is an ugly
solution...

[Back to original message]