bump. Safari would still be a problem but...... anybody get p3p headers to work on appspot logins?
On Mar 31, 5:01 pm, Jim <jeb62...@gmail.com> wrote: > Hi, > > I've created an appliation using Google App Engine that integrates > with Google Accounts using login/logout URLs as described > here:http://code.google.com/appengine/docs/python/users/loginurls.html. > Everything works great when running the application directly. You can > check out the app here: http://www.paymeplz.com/free > > But recently I decided to build a Google Gadget that contains a > snippet of my functionality in a the "home" Gadget view, and the whole > thing in the "canvas" view using the URL approach to defining my > Gadget .xml file as described > here:http://code.google.com/apis/gadgets/docs/fundamentals.html#Content_Type > The gadget resides here:http://www.paymeplz.com/gadget.xml > > It worked fine under Firefox and Chrome, but when I ran the Gadget > under IE I discovered that the login functionality didn't work. I > could follow the login URL to the Google Account login page, login and > when re-directed back to my app the users.get_current_user() function > would return nothing as if the user wasn't logged in. > > I quickly suspected cookies and dug around to discover the fact that > IE, starting with version 6, started blocking "third party" cookies > that didn't have a W3C P3P policy. I've never dealt with cookies much > before, and I definitely wasn't familiar with P3P policies and how > they impact delivery of cookies between servers and browsers. This > site describes it well:http://www.p3ptoolbox.org/guide/section2.shtml > > After some research into the P3P topic, I realized I needed to > configure a P3P policy and deploy it on my App Engine site. A little > trial, error and free software from IBM got my policy setup and > visible to the browsers including IE. But my cookies were still > getting blocked by IE when running in the iGoogle Gadget container > (ie. a "third party" cookie). > > Further research revealed that IE looks not only at the P3P policy > files stored on your server, as required by the W3C specification, > they also require a "Compact Policy" to be embedded in the HTTP HEADER > response from the server to the browser. A little poking around the > Python doc revealed the self.response.headers.add_header() function > which allowed me to send the requisite P3P headers for the Compact > Policy. > > After these steps IE would allow my cookies through. Hooray! Right? > Wrong. Then I found that my cookies were still getting blocked during > the login process. Here's why: IE requires both the policy files on > the server and the Compact Policy in the HTTP HEADER. And the only > way to set the HTTP header is programatically in the request > handler .py program. Handler progams for the URLs used in the Login > process reside in the reserved _ah directory which cannot be accessed > as described here: > http://code.google.com/appengine/docs/python/tools/configuration.html... > > So, the pages I emit from my .py programs can get cookies through to > IE under a Gadget, but it's all for naught if the crucial Login step > can't get it's cookie through. > > Is there any way to set the default HTTP HEADERs for my entire app > through some configuration setting? Or is there a way to over-ride > the HEADERs in the responses generated by the login programs in > _ah? Any other suggestions? > > Thanks for your time, > > Jim --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---