I'm trying to embed CC in our web app to allow users with CC account to add a mailing list widget to their site.
I call an iframe with the url:
This flow works great on both Chrome and FF resulting in successful redirect to URI. But in IE the parent window is being redirected to the CC homepage ("http://www.constantcontact.com/index.jsp").
What am I doing wrong? How should this process work?
I would gladly give any extra info.
header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"');
API Support Specialist
Thanks for the quick replay.
What you are suggesting is a little problematic since there is elegant way to set header for iframe.
Please look at: http://stackoverflow.com/questions/389456/cookie-blocked-not-saved-in-iframe-in-internet-explorer.
Sorry for the problems you're running into. Wanted to provide a little more information for you before you and Shannon go too far down a trouble shooting path here. We are, as you mentioned, not setting p3p headers in our Login flow. This is intentional.
We do not support using our login flow in an iFrame window. We are planning on blocking the ability to load our login flow through an iFrame at all in the near future. Best practices for data security and logins are to never allow a username/password to be entered in a browser window that doesn't provide visibility to the host/server the user is entering the information on. This is to prevent impersonation and to provide confidence to the user that they are giving their username/password to a trusted source. I don't have a date for when this change will go through, but when it does, an iFrame flow for our OAuth 2.0 or login will not work in any browser (we will specifically set headers to prevent it from working in an iFrame 100%). Our intention is to roll this out sooner rather than later.
Our recommendation is to use a pop-up window, which is the industry standard for supported OAuth 2.0 flows. This is the same flow that Facebook, Twitter and most websites support. Sorry again for the frustration here and any time wasted researching/troubleshooting this issue.