Title: Adding P3P security Last modified: August 21, 2016 --- # Adding P3P security * Resolved [lzevon](https://wordpress.org/support/users/lzevon/) * (@lzevon) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/) * I’ve watched the video for adding custom code and I’m still not getting the result I hoped for. I need to add… * Header set P3P “policyref=\”/w3c/p3p.xml\”, CP=\”NOI DSP COR NID CUR ADM DEV OUR BUS\”” * … so that one of my forms can pass arguments to another page and within that page to an iFrame (more here: [http://adamyoung.net/IE-Blocking-iFrame-Cookies](http://adamyoung.net/IE-Blocking-iFrame-Cookies)). * Any advice on where I can place this using the custom code feature? Also, I assume I need to disable auto-lock and unlock the file before doing so? * Thanks in advance! * [http://wordpress.org/plugins/bulletproof-security/](http://wordpress.org/plugins/bulletproof-security/) Viewing 12 replies - 1 through 12 (of 12 total) * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436819) * **This code worked for me:** * ``` # Simple #Header set P3P policyref="http://aitpro.local/w3c/p3p.xml" # More complex Header set P3P 'policyref="http://aitpro.local/w3c/p3p.xml", CP="NOI DSP COR NID CUR ADM DEV OUR BUS"' ``` * 1. This P3P custom .htaccess code above would go in this BPS Custom Code text box: **CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE** * 2. Click the Save Root Custom Code button. * 3. Go to the Security Modes page, click the Create secure.htaccess File button and activate Root folder BulletProof Mode again. * **Headers Check Result** * ``` HTTP/1.1 200 OK Date: Sun, 22 Dec 2013 02:17:27 GMT Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7 X-Powered-By: PHP/5.4.7 X-Pingback: http://aitpro.local/xmlrpc.php Set-Cookie: PHPSESSID=4dhb48kc8urbdfapvclkl3r6j1; path=/ Link: ; rel=shortlink P3P: policyref="http://aitpro.local/w3c/p3p.xml", CP="NOI DSP COR NID CUR ADM DEV OUR BUS" Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Pragma: no-cache Content-Type: text/html; charset=UTF-8 ``` * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436820) * FYI – I looked all over the Internet and did not find any working examples of the correct P3P .htaccess code so I just took a logical guess with the single quotes. 😉 * Thread Starter [lzevon](https://wordpress.org/support/users/lzevon/) * (@lzevon) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436845) * Thank you! I added the code and will test (I don’t have a PC/Internet Explorer handy) t my first chance. The site is [http://rhodyenergysavings.com](http://rhodyenergysavings.com) and the issue was with Find My Rates, whereby I’m passing the zip code and commercial/ residential to another site (of which I have no control) that is loading results( from the query) in an iFrame. * Thank you again! * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436846) * Since P3P is dead then this may not be a P3P issue or there is another method that would need to be used to solve the problem. * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436849) * Are you seeing a 403 error? Have you checked your BPS Security Log to see if there are any log entries for this issue? If you see a log entry that is directly related to this issue then post it here. * Thread Starter [lzevon](https://wordpress.org/support/users/lzevon/) * (@lzevon) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436852) * I don’t see a 403 error (do you?), but I had a friend test and reports it’s still not working. What other method other than P3P could it be? The issue is (I believe) IE blocking cookies in the iFrame. * I truly appreciate the help, so much so that I just went Pro 🙂 * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436854) * I would need to see all sides of the equation to figure out the problem. Send an email to info [at] ait-pro [dot] com with the site URL where the iframe is. * [MickeyRoush](https://wordpress.org/support/users/mickeyroush/) * (@mickeyroush) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436875) * Which version of IE? * You might want to check and see if you have either of these headers set: X-Frame- Options X-XSS-Protection X-Content-Type-Options * Also, CSP (Content Security Policy) is the latest standard when dealing with frames. * Thread Starter [lzevon](https://wordpress.org/support/users/lzevon/) * (@lzevon) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436882) * Thanks Mickey – I’m not in control of the page I’m arriving at, the one that is not refreshing the iFrame. While I’m not familiar with any of the above header sets, they seem like they would be the ones being served-up from the site with the iFrame (I’m trying to post values to that page)? It works on all browsers except IE – still working on it! * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436885) * I narrowed it down to the issue being with the Form’s Action and not an issue with the iframe. If you look at the Source code of the page the Form action is this: * ``` form method='post' enctype='multipart/form-data' id='gform_2' action='/' what you need for things to work correctly is something like this: action='http://rhody.myambit.com/rates-and-plans#$some_variable' ``` * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436886) * Or i should say work correctly in all Browsers. The reason the forced query does not work / is being stripped in IE and Safari is because the forced query string is malformed / bad coding practice and those browsers are assuming either the query is malicious or malformed. * ?#r94122 is bad news / bad coding practice for a query string / a malformed query string. * A good query string would look like this: ?x=something&y=something-else * If the action is changed in the Form since this is a simple remote post, then you would not have to force a query string. So you could then just use #$some_variable without adding a forced query. * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436934) * This issue is being handled directly via email resolving. Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘Adding P3P security’ is closed to new replies. * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938) * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/) * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/) * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/) ## Tags * [P3P](https://wordpress.org/support/topic-tag/p3p/) * 12 replies * 3 participants * Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/) * Last activity: [12 years, 4 months ago](https://wordpress.org/support/topic/adding-p3p-security/#post-4436934) * Status: resolved