Log in not working in IE

eyale
Participant

Log in not working in IE

Hi,

 

I'm trying to embed CC in our web app to allow users with CC account to add a mailing list widget to their site.

I call an iframe with the url:
src='https://oauth2.constantcontact.com/oauth2/oauth/siteowner/authorize?response_type=token&client_id=ci...".

 

This flow works great on both Chrome and FF resulting in successful redirect to URI. But in IE the parent window is being redirected to the CC homepage ("http://www.constantcontact.com/index.jsp").

 

What am I doing wrong? How should this process work?

I would gladly give any extra info.

Thnx.

3 REPLIES 3
Shannon_W
Employee

Hi,

 

This appears to be caused by IE blocking redirects in iframes.  You can do a little bit of reading about it here, and here.  Both sources claim that adding a bit of code will solve the issue.

 

header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');

 

 

Best Regards,

Shannon W.

API Support Specialist

Thanks for the quick replay.
What you are suggesting is a little problematic since there is elegant way to set header for iframe.
From what I understand the problem occurs because the CC page I am trying to reach doesn't have a Privacy Policy.
Please look at: http://stackoverflow.com/questions/389456/cookie-blocked-not-saved-in-iframe-in-internet-explorer.

Sorry for the problems you're running into.  Wanted to provide a little more information for you before you and Shannon go too far down a trouble shooting path here.  We are, as you mentioned, not setting p3p headers in our Login flow.  This is intentional.

 

We do not support using our login flow in an iFrame window.  We are planning on blocking the ability to load our login flow through an iFrame at all in the near future.  Best practices for data security and logins are to never allow a username/password to be entered in a browser window that doesn't provide visibility to the host/server the user is entering the information on.  This is to prevent impersonation and to provide confidence to the user that they are giving their username/password to a trusted source.  I don't have a date for when this change will go through, but when it does, an iFrame flow for our OAuth 2.0 or login will not work in any browser (we will specifically set headers to prevent it from working in an iFrame 100%).  Our intention is to roll this out sooner rather than later.

 

Our recommendation is to use a pop-up window, which is the industry standard for supported OAuth 2.0 flows.  This is the same flow that Facebook, Twitter and most websites support.  Sorry again for the frustration here and any time wasted researching/troubleshooting this issue.

Dave Berard
Senior Product Manager, Constant Contact
Developer Portal

View API documentation, code samples, get your API key.

Visit Page