Posted by Jerry Stuckle on 04/17/06 05:39

Bruno wrote:
> "Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
> news:eYSdnRTXS9B6Kd_ZnZ2dnUVZ_s-dnZ2d@comcast.com...
>
>>Bruno wrote:
>>
>>>Agreed - A cookie on two.com should not be accessible by one.com.
>>>
>>>I want the cookie on two.com to be accessible by two.com inside a frame
>>>originating on a page at one.com.
>>>
>>>But, when the two.com page sets a cookie, and chains another page in
>>>two.com (within the frameset defined at one.com) the cookie values are
>>>not accessible under IE as they are for all other browsers.
>>>
>>>Now, if I go into the IE privacy setting, click 'override cookie
>>>handling', and ensure 'always allow third party cookies' is checked the
>>>application will work in a frame, otherwise it will only work under IE if
>>>it is in a separate browser window (i.e. being the 'primary' site)
>>>
>>>I'm just not happy about having to give instructions to the masses
>>>telling them to adjust their cookie settings under IE. And as far as I'm
>>>concerned, site two.com using a site two.com cookie should not be an
>>>unrealistic thing...
>>>
>>
>>Bruno,
>>
>>Just read this thread
>>
>>That makes sense. The main page is one.com, so two.com is a third-party
>>for that page. Unlike when the page is directly loaded from two.com,
>>where there is no other party involved.
>>
>>Sounds like IE is doing exactly what it should. Other than telling the
>>user to change their browser settings, there isn't much you can do.
>>
>>One of the reasons for this setting, btw, is to limit ad tracking. Third
>>part ads would set cookies on one page and be able to read them on another
>>page (the ads would be originated at the same domain so this works).
>>
>>BTW - please don't top post. This group uses bottom posting as a
>>standard.
>>
>>--
>>==================
>>Remove the "x" from my email address
>>Jerry Stuckle
>>JDS Computer Training Corp.
>>jstucklex@attglobal.net
>>==================
>
>
> So basically you are saying that IE by default kills all cookies not
> relating to the primary level domain.
>
> It seems that Microsoft has a different interpretation of this than the
> Mozilla folks: With Mozilla (Firefox) if restricting Cookies to be 'for the
> originating site only', which is not the default, the application still
> works, as I assume that they will allow a site that created its cookie to
> retrieve its cookie, even if in a frame (since it is the originating site).
>
> If IE's approach is as you say, it may stop ad counters, but also cripples
> having nested content not originating from the primary site - That's a
> shame.
>
> If the domain-in-a-frame (two.com in the example) were to specify the main
> site (one.com) as being the cookie's owner at creation time, would this work
> to get around the problem? (I'm really just interested getting it working in
> the frame).
>
> Aside from getting users to change their settings, the only other way is to
> detect IE and spawn it into another browser instance, but this is an ugly
> solution...
>
>
Basically, yes, IE kills those cookies. You can thank the sites which abused
cookies and used them to track the sites people visited. Microsoft was under
fire to increase security to stop the abuse, and they did.

I believe you can do the same by tightening Firefox's security, but I'm not
positive. It's just a matter of what the default is.

The whole purpose of stopping this is to prevent third-party sites from
storing/retrieving cookies. I doubt there is any way around it. If there were,
that would be another security exposure these abusive sites would use.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]