Adding P3P security

This code worked for me:

<IfModule mod_headers.c>
# Simple
#Header set P3P policyref="https://aitpro.local/w3c/p3p.xml"
# More complex
Header set P3P 'policyref="https://aitpro.local/w3c/p3p.xml", CP="NOI DSP COR NID CUR ADM DEV OUR BUS"'
</IfModule>

1. This P3P custom .htaccess code above would go in this BPS Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE

2. Click the Save Root Custom Code button.

3. Go to the Security Modes page, click the Create secure.htaccess File button and activate Root folder BulletProof Mode again.

Headers Check Result

HTTP/1.1 200 OK
Date: Sun, 22 Dec 2013 02:17:27 GMT
Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
X-Powered-By: PHP/5.4.7
X-Pingback: https://aitpro.local/xmlrpc.php
Set-Cookie: PHPSESSID=4dhb48kc8urbdfapvclkl3r6j1; path=/
Link: ; rel=shortlink
P3P: policyref="https://aitpro.local/w3c/p3p.xml", CP="NOI DSP COR NID CUR ADM DEV OUR BUS"
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
Content-Type: text/html; charset=UTF-8

FYI – I looked all over the Internet and did not find any working examples of the correct P3P .htaccess code so I just took a logical guess with the single quotes. ??

Thank you! I added the code and will test (I don’t have a PC/Internet Explorer handy) t my first chance. The site is https://rhodyenergysavings.com and the issue was with Find My Rates, whereby I’m passing the zip code and commercial/residential to another site (of which I have no control) that is loading results (from the query) in an iFrame.

Thank you again!

Since P3P is dead then this may not be a P3P issue or there is another method that would need to be used to solve the problem.

Are you seeing a 403 error? Have you checked your BPS Security Log to see if there are any log entries for this issue? If you see a log entry that is directly related to this issue then post it here.

I don’t see a 403 error (do you?), but I had a friend test and reports it’s still not working. What other method other than P3P could it be? The issue is (I believe) IE blocking cookies in the iFrame.

I truly appreciate the help, so much so that I just went Pro ??

I would need to see all sides of the equation to figure out the problem. Send an email to info [at] ait-pro [dot] com with the site URL where the iframe is.

Which version of IE?

You might want to check and see if you have either of these headers set:
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options

Also, CSP (Content Security Policy) is the latest standard when dealing with frames.

Thanks Mickey – I’m not in control of the page I’m arriving at, the one that is not refreshing the iFrame. While I’m not familiar with any of the above header sets, they seem like they would be the ones being served-up from the site with the iFrame (I’m trying to post values to that page)? It works on all browsers except IE – still working on it!

I narrowed it down to the issue being with the Form’s Action and not an issue with the iframe. If you look at the Source code of the page the Form action is this:

form method='post' enctype='multipart/form-data'  id='gform_2'  action='/'

what you need for things to work correctly is something like this:

action='https://rhody.myambit.com/rates-and-plans#$some_variable'

Or i should say work correctly in all Browsers. The reason the forced query does not work / is being stripped in IE and Safari is because the forced query string is malformed / bad coding practice and those browsers are assuming either the query is malicious or malformed.

?#r94122 is bad news / bad coding practice for a query string / a malformed query string.

A good query string would look like this: ?x=something&y=something-else

If the action is changed in the Form since this is a simple remote post, then you would not have to force a query string. So you could then just use #$some_variable without adding a forced query.

This issue is being handled directly via email resolving.