P3P Headers missing in SSO URL

Cantor, Scott cantor.2 at osu.edu
Wed Nov 28 00:23:27 EST 2012

On 11/28/12 12:06 AM, "gracec0505" <gracec0505 at gmail.com> wrote:
>We are running Shibboleth 2.3.1 and Apache 2.2

I hope you did some patching, or you have a serious security problem.

>We are able to detect the P3P headers in all pages in the website except
>for the ones that are related to Shibboleth  -
>https://[our domain]/Shibboleth.sso/SAML2/POST itself and the configured
>error pages.

I just verified that behavior, please file a bug.

>We also have an issue with clients' IFrame application blocking our
>cookies because it cannot detect the P3P headers.

That can't be fixed unless you seriously think you can dictate that all
your clients use IE, which seems pretty unreasonable to me in 2012.

>Our client has the application in an IFRAME.

I don't support that and I don't see any way I can. I won't be putting
session tokens on the URL, and that's the only portable way to support

I'm happy to look into the Header command bug if you file it, but I cannot
make frames work.

-- Scott

More information about the users mailing list