Windows 10 removes P3P - Future for Provider Hosted Add-ins?

Hi all,

This is a somewhat complex problem - so apologies in advance for the length of the question.

Situation:

Microsoft recommends all provider hosted SharePoint Add-Ins use the AppHost page pattern in order to be able to support the use of Internet Explorer with cross-domain calls that span security zones via the SP.RequestExecutor library.  This is essentially an IFRAME in the App Web that frames the provider hosted app.  As the top frame is in *.sharepoint.com this allows Internet Explorer to consider the entire content to be in one Internet Explorer security Zone and allow the cross-domain calls to succeed.

There are also various other scenarios like AppParts where our application may be embedded in a frame that will also require this technique.


 

Problem:

Cookies are used for all sorts of things these days - and in our case we rely on a cookie for key to caching the SharePoint authentication as per the standard TokenHelper class behaviour supplied by Microsoft in the Provider hosted add-in template.

 

When our provider hosted add-in asks the browser to accept and store a cookie this has worked in the past except in the past 6 months when IE behaviour has been changing:

  • Initially the problem was exposed when P3P policy was implemented and IE stopped accepting cookies from 3rd party sites as a privacy precaution.  Since our provider hosted add-in is in a frame and is cross-domain, the cookies it asks the browser to store are considered 3rd party and are affected by the P3P policy.  We worked around this problem by including a P3P policy header on all our web responses.  This instructed IE to trust the site and store the cookies as before.
  • With the release of Windows 10, the P3P policy implementation has been removed and affects IE11 on Windows 10 while IE 11 on Windows 8 remains unaffected.

 

So the problem is that since SharePoint online features do not work with Microsoft Edge (drag & drop etc.) most customers will be using IE11 on Windows 10 and with the P3P policy removed there is now no way to ensure that cross-domain cookies are allowed.

 

This differentiation in behaviour between the same version of IE on different OS can be observed directly using this test suite .

Replies of "Cookies are so 90's - just don't use them" are not helpful, but if you have managed to solve this in any way please let me know.

Cheers,

   James.

September 8th, 2015 9:40pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics