P3
Found a bug in the Sun Plugin. FYI, This issue has been escalated to customer
as a High severity escalation that is impeding a large deployment from one
of their customers.
Problem Summary:
IE 6/7 use privacy policies associated with cookies to determine if a third-party
cookie is acceptable. The privacy policy used by TruePass is a compact privacy policy,
defined as per the P3P standards. When the TruePass applet running under the Sun (old
and new generation) plugin issues a HTTPS request to the server, in response to which
the server sets a cookie having P3P policy headers associated with the cookie, then
the P3P info seems to be getting dropped while storing the cookie in the browser's
cookie database i.e. the net effect seems that the cookie itself does get stored in
the browser's cookie database, but not the P3P policy information. This causes IE to
consider this a third-party cookie without a P3P policy, and "block" the cookie,
when it should be accepted.
Problem details
Must use 2 internet domains to explain the scenario. Let those domains be primary.com
and secondary.com. The user initially goes to www.primary.com, authenticates using the
TruePass applet, which causes the TruePass applet to communicate with the TruePass
server over HTTPS (using java.net.URLConnection). In one of the HTTPS requests from
the applet, the server sets a session cookie in the primary.com domain (let us call
this cookie A) along with this P3P header:
CP=\"NON UNI DEM IVAa IVDa STA PRE\"
Also of importance here is that there are other cookies (with the P3P info) set by
Javascript code as part of HTTPS requests that are not initiated by the applet....
let us call such a cookie as cookie B.
Cookie A and cookie B do get saved in the browser's cookie database properly since
we can see the cookie info for both cookies getting transmitted back to any server in
the primary.com domain on future requests from the browser - this works as long as
the user is on a web page in which all content is from primary.com.
Next, the user moves to www.secondary.com where there is a HTML page that contains a
frameset with 2 frames: frame #1 contains a page from www.secondary.com and frame #2
contains a page from www.primary.com. When the browser initiates the request for the
page for frame #2, it is expected to send both, cookie A and cookie B to the
www.primary.com server. Instead, what you see is that cookie A is blocked by IE
and cookie B is sent. The problem is visible to the end user since a red icon (called
"Privacy Report") is displayed on IE's status bar.
This problem of the missing cookie A is what we believe to be a bug in the Sun Plugin.
Points to note:
1. Happens only on IE 6/7 with the Sun Java plugin.
2. Does not happen when the Sun plugin is used with FireFox.
3. Does not happen when IE 6/7 is used with the Microsoft JVM.
Example Response:
The "LostCookie" is blocked by IE because the Plugin does not pass the P3P header
to IE which is required to set a third-party cookie.
"Thu May 29 16:40:09 2008 2995<->11942 reverse\r
HTTP/1.1 200 OK\r
Date: Fri, 30 May 2008 19:39:52 GMT\r
Server: IBM_HTTP_Server\r
Cache-Control: no-cache\r
Pragma: no-cache\r
Set-Cookie: LostCookie=\"123456789\"; Path=/; Domain=.entrust.com; Secure\r
P3P: CP=\"NON UNI DEM IVAa IVDa STA PRE\"\r
Keep-Alive: timeout=10, max=99\r
Connection: Keep-Alive\r
Transfer-Encoding: chunked\r
Content-Type: application/octet-stream\r
Content-Language: en-US\r
\r
c\r
CONTENT...
Any suggestions for a workaround to this issue would also be appreciated. Note that
customer's applet supports Sun JRE 1.4.2, 1.5 and 1.6 so a solution for all JREs
is desired.
as a High severity escalation that is impeding a large deployment from one
of their customers.
Problem Summary:
IE 6/7 use privacy policies associated with cookies to determine if a third-party
cookie is acceptable. The privacy policy used by TruePass is a compact privacy policy,
defined as per the P3P standards. When the TruePass applet running under the Sun (old
and new generation) plugin issues a HTTPS request to the server, in response to which
the server sets a cookie having P3P policy headers associated with the cookie, then
the P3P info seems to be getting dropped while storing the cookie in the browser's
cookie database i.e. the net effect seems that the cookie itself does get stored in
the browser's cookie database, but not the P3P policy information. This causes IE to
consider this a third-party cookie without a P3P policy, and "block" the cookie,
when it should be accepted.
Problem details
Must use 2 internet domains to explain the scenario. Let those domains be primary.com
and secondary.com. The user initially goes to www.primary.com, authenticates using the
TruePass applet, which causes the TruePass applet to communicate with the TruePass
server over HTTPS (using java.net.URLConnection). In one of the HTTPS requests from
the applet, the server sets a session cookie in the primary.com domain (let us call
this cookie A) along with this P3P header:
CP=\"NON UNI DEM IVAa IVDa STA PRE\"
Also of importance here is that there are other cookies (with the P3P info) set by
Javascript code as part of HTTPS requests that are not initiated by the applet....
let us call such a cookie as cookie B.
Cookie A and cookie B do get saved in the browser's cookie database properly since
we can see the cookie info for both cookies getting transmitted back to any server in
the primary.com domain on future requests from the browser - this works as long as
the user is on a web page in which all content is from primary.com.
Next, the user moves to www.secondary.com where there is a HTML page that contains a
frameset with 2 frames: frame #1 contains a page from www.secondary.com and frame #2
contains a page from www.primary.com. When the browser initiates the request for the
page for frame #2, it is expected to send both, cookie A and cookie B to the
www.primary.com server. Instead, what you see is that cookie A is blocked by IE
and cookie B is sent. The problem is visible to the end user since a red icon (called
"Privacy Report") is displayed on IE's status bar.
This problem of the missing cookie A is what we believe to be a bug in the Sun Plugin.
Points to note:
1. Happens only on IE 6/7 with the Sun Java plugin.
2. Does not happen when the Sun plugin is used with FireFox.
3. Does not happen when IE 6/7 is used with the Microsoft JVM.
Example Response:
The "LostCookie" is blocked by IE because the Plugin does not pass the P3P header
to IE which is required to set a third-party cookie.
"Thu May 29 16:40:09 2008 2995<->11942 reverse\r
HTTP/1.1 200 OK\r
Date: Fri, 30 May 2008 19:39:52 GMT\r
Server: IBM_HTTP_Server\r
Cache-Control: no-cache\r
Pragma: no-cache\r
Set-Cookie: LostCookie=\"123456789\"; Path=/; Domain=.entrust.com; Secure\r
P3P: CP=\"NON UNI DEM IVAa IVDa STA PRE\"\r
Keep-Alive: timeout=10, max=99\r
Connection: Keep-Alive\r
Transfer-Encoding: chunked\r
Content-Type: application/octet-stream\r
Content-Language: en-US\r
\r
c\r
CONTENT...
Any suggestions for a workaround to this issue would also be appreciated. Note that
customer's applet supports Sun JRE 1.4.2, 1.5 and 1.6 so a solution for all JREs
is desired.