Posted by Bruno on 11/19/43 11:45

"Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
news:vaydnarxe6CUb9_ZnZ2dnUVZ_uWdnZ2d@comcast.com...
> Bruno wrote:
>> "Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
>> news:eYSdnRTXS9B6Kd_ZnZ2dnUVZ_s-dnZ2d@comcast.com...
>>
>>>Bruno wrote:
>>>
>>>>Agreed - A cookie on two.com should not be accessible by one.com.
>>>>
>>>>I want the cookie on two.com to be accessible by two.com inside a frame
>>>>originating on a page at one.com.
>>>>
>>>>But, when the two.com page sets a cookie, and chains another page in
>>>>two.com (within the frameset defined at one.com) the cookie values are
>>>>not accessible under IE as they are for all other browsers.
>>>>
>>>>Now, if I go into the IE privacy setting, click 'override cookie
>>>>handling', and ensure 'always allow third party cookies' is checked the
>>>>application will work in a frame, otherwise it will only work under IE
>>>>if it is in a separate browser window (i.e. being the 'primary' site)
>>>>
>>>>I'm just not happy about having to give instructions to the masses
>>>>telling them to adjust their cookie settings under IE. And as far as I'm
>>>>concerned, site two.com using a site two.com cookie should not be an
>>>>unrealistic thing...
>>>>
>>>
>>>Bruno,
>>>
>>>Just read this thread
>>>
>>>That makes sense. The main page is one.com, so two.com is a third-party
>>>for that page. Unlike when the page is directly loaded from two.com,
>>>where there is no other party involved.
>>>
>>>Sounds like IE is doing exactly what it should. Other than telling the
>>>user to change their browser settings, there isn't much you can do.
>>>
>>>One of the reasons for this setting, btw, is to limit ad tracking. Third
>>>part ads would set cookies on one page and be able to read them on
>>>another page (the ads would be originated at the same domain so this
>>>works).
>>>
>>>BTW - please don't top post. This group uses bottom posting as a
>>>standard.
>>>
>>>--
>>>==================
>>>Remove the "x" from my email address
>>>Jerry Stuckle
>>>JDS Computer Training Corp.
>>>jstucklex@attglobal.net
>>>==================
>>
>>
>> So basically you are saying that IE by default kills all cookies not
>> relating to the primary level domain.
>>
>> It seems that Microsoft has a different interpretation of this than the
>> Mozilla folks: With Mozilla (Firefox) if restricting Cookies to be 'for
>> the originating site only', which is not the default, the application
>> still works, as I assume that they will allow a site that created its
>> cookie to retrieve its cookie, even if in a frame (since it is the
>> originating site).
>>
>> If IE's approach is as you say, it may stop ad counters, but also
>> cripples having nested content not originating from the primary site -
>> That's a shame.
>>
>> If the domain-in-a-frame (two.com in the example) were to specify the
>> main site (one.com) as being the cookie's owner at creation time, would
>> this work to get around the problem? (I'm really just interested getting
>> it working in the frame).
>>
>> Aside from getting users to change their settings, the only other way is
>> to detect IE and spawn it into another browser instance, but this is an
>> ugly solution...
>>
>>
> Basically, yes, IE kills those cookies. You can thank the sites which
> abused cookies and used them to track the sites people visited. Microsoft
> was under fire to increase security to stop the abuse, and they did.
>
> I believe you can do the same by tightening Firefox's security, but I'm
> not positive. It's just a matter of what the default is.
>
> The whole purpose of stopping this is to prevent third-party sites from
> storing/retrieving cookies. I doubt there is any way around it. If there
> were, that would be another security exposure these abusive sites would
> use.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstucklex@attglobal.net
> ==================




Yes, well... It appears that Microsoft forgot to read the specification
then:
(An excerpt from the authority at
http://www.w3.org/TR/html4/present/frames.html#h-16.3)
------------
"16.1 Introduction to frames
HTML frames allow authors to present documents in multiple views, which may
be independent windows or subwindows. "

------------

If a frame is to be considered an independent window, then third-party
considerations really have nothing really to do with it. I guess Microsoft
has decided that the standard does not apply to them, and have gone their
own path as usual...

Oh well, I'm not going to waste my breath tackling with this any further.
I'll just have to put in the best workaround that will do the job and forget
about it.

Thanks for your insights Jerry.

[Back to original message]