One thing I learned over the past few months had to do with sharing a website from one site to another via an iFrame. The problem arises when the domains don’t match. If your primary site is example.com and the site in the iFrame is exampleinaniframe.com, by default exampleinaniframe.com cannot set cookies or execute certain JavaScript. Browsers see this as a potential hijacking and throw a security error.
The fix for this is pretty simple, but not simple all at the same time. There is a header you can add to your site telling browsers that it should allow it to be put in an iFrame. Those are called P3P Header’s. Now the hard part to this is that a search online returns a lot of conflicting answers to what your header should look like. Then one night, as I was trying to figure out how to do Facebook development, it hit me. That is how Facebook works. All of those applications you use in Facebook are really hosted on another site, you just see it seamlessly via an iFrame. Now since Facebook has 350,000,000 users I figured they probably have this figured out.
A brief search found this very simple and concise P3P header, all you have to do is include this somewhere early in your page load life cycle (global.asax, httpmodule, basepage, etc…):
HttpContext.Current.Response.AddHeader("p3p", "CP=\"CAO PSA OUR\"");
That will tell the user’s browser to not throw a security exception and allow the site to function as needed.