Sorry for the problems you're running into. Wanted to provide a little more information for you before you and Shannon go too far down a trouble shooting path here. We are, as you mentioned, not setting p3p headers in our Login flow. This is intentional.
We do not support using our login flow in an iFrame window. We are planning on blocking the ability to load our login flow through an iFrame at all in the near future. Best practices for data security and logins are to never allow a username/password to be entered in a browser window that doesn't provide visibility to the host/server the user is entering the information on. This is to prevent impersonation and to provide confidence to the user that they are giving their username/password to a trusted source. I don't have a date for when this change will go through, but when it does, an iFrame flow for our OAuth 2.0 or login will not work in any browser (we will specifically set headers to prevent it from working in an iFrame 100%). Our intention is to roll this out sooner rather than later.
Our recommendation is to use a pop-up window, which is the industry standard for supported OAuth 2.0 flows. This is the same flow that Facebook, Twitter and most websites support. Sorry again for the frustration here and any time wasted researching/troubleshooting this issue.
... View more