There are a few special considerations involving HTTP headers for configuring your application and server to operate correctly across browsers as an embedded app.
Web servers have the option of setting a response header
X-Frame-Options: DENY, meaning that the web browser will then refuse to render that page if the content window is inside some kind of frame. Since all embedded applications are rendered inside an iframe, this option must be turned off on your web server.
Internet Explorer P3P Policy Header
Most versions of Internet Explorer require a P3P policy to be set. If not, the browser creates a cookie but refuses to modify its content in an iframe. The P3P policy is an outdated standard, and most major websites configure their policy to "No Policy". To avoid any issue with cookies on Internet Explorer, simply define a bogus policy (e.g.
In Ruby on Rails, add this snippet to you ApplicationController:
In PHP, you can define a P3P policy as follows: