There are a few special considerations involving HTTP headers for configuring your application and server to operate correctly across browsers as an embedded app.

X-Frame-Options Header

Web servers have the option of setting a response header X-Frame-Options: DENY, meaning that the web browser will then refuse to render that page if the content window is inside some kind of frame. Since all embedded applications are rendered inside an iframe, this option must be turned off on your web server.

Get more information on the X-Frame-Option headers ›

Internet Explorer P3P Policy Header

Most versions of Internet Explorer require a P3P policy to be set. If not, the browser creates a cookie but refuses to modify its content in an iframe. The P3P policy is an outdated standard, and most major websites configure their policy to "No Policy". To avoid any issue with cookies on Internet Explorer, simply define a bogus policy (e.g. CP="Not used")

In Ruby on Rails, add this snippet to you ApplicationController:

before_filter :set_p3p

def set_p3p
  headers['P3P'] = 'CP="Your P3P policy here"'

In PHP, you can define a P3P policy as follows:

header('P3P: CP="Your P3P policy here"');