How does Facebook set cross-domain cookies for iFrames on canvas pages?

I was browsing Facebook's documentation reading about canvas applications and I came across an example application: http://developers.facebook.com/docs/samples/canvas. As I read through their example, however, I got very confused about their use of cookies in the iframe application.

A little backstory...

I had already played around with using iframes for embeddable widgets (unrelated to Facebook) and I found out a few browsers (Chrome, Safari, etc.) have strict cookie policies and don't allow cross-domain cookies set in iframes (Firefox, on the other hand, allows iframes to set cross-domain cookies in iframes). For example, if foo.com has an iframe with src="http://bar.com/widget" the iframe widget will not be able to set any cookies for bar.com and therefore will have trouble persisting state within the iframe: bar.com will interpret every request (including ajax requests) from the widget as a fresh request without an established session. I struggled, and found a way around this by using JSONP and javascript to set cookies for foo.com instead...

... and so?

Well, I was looking at the example canvas iframe Facebook application and I noticed that their application (hosted on runwithfriends.appspot.com) is able to set a cookie, u, with the current user's id along with a few other parameters for the runwithfriends.appspot.com domain. It sends this cookie with every request... and it works in both Chrome and Firefox! WTF? How does Facebook get around the cross-domain cookie restrictions on Chrome?

(I already know the answer now, but I thought this might be helpful for anyone struggling to figure out the same thing)

So the iFrame isn't actually setting the u cookie for the runwithfriends.appspot.com domain. What Facebook does is it creates a form, <form action="runwithfriends.appspot.com/..." target="name_of_iframe" method="POST"> and uses javascript to submit the form on page load. Since the form's target is the iframe, it doesn't reload the page... it just loads the iframe with the POST's response. Apparently even Chrome and other browsers with strict cookie policies set cookies for cross domain requests if they are POST requests...


As you can see the answer is simple, and could be implemented by just creating a handler (could be a Servlet or anything that can catch some parameterts and transform them into cookies), like this: <html xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:f="http://java.sun.com/jsf/core" xmlns:h="http://java.sun.com/jsf/html" xmlns:a4j="http://richfaces.org/a4j" xmlns:c="http://java.sun.com/jstl/core" xmlns:rich="http://richfaces.org/rich"> <head> <title>::Kaptest:: Cookie Generator</title> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"/> <META HTTP-EQUIV="Expires" CONTENT="-1"/> <META HTTP-EQUIV="EXPIRES" CONTENT="0"/> </head> <c:set var="myCookies" value="#{kaptest.cross_domain_listener_action.cookies}" /> Cookies Generated... <script> function setCookie(name, value, expireDays){ var expirationDate = new Date(); expirationDate.setDate(expirationDate.getDate() + expireDays); document.cookie = name+ "=" +escape(value)+ ";path=/" + ((expireDays==null) ? "" : ";expires="+expirationDate.toGMTString()); } function setCookieMinutes(name, value, expireMinutes){ var expirationDate = new Date(); expirationDate.setMinutes(expirationDate.getMinutes() + expireMinutes); document.cookie = name+ "=" +escape(value)+ ";path=/" + ((expireMinutes==null) ? "" : ";expires="+expirationDate.toGMTString()); } </script> <script> <a4j:repeat value="#{myCookies}" var="myCookie"> setCookieMinutes("#{myCookie.name}", "#{myCookie.value}", #{myCookie.maxAge}); </a4j:repeat> </script> </html> @Name("kaptest.cross_domain_listener_action") public class CrossDomainListenerAction { private static final LogProvider log = Logging.getLogProvider(CrossDomainListenerAction.class); @In private FacesContext facesContext; private final String CODE_WORD_VALUE = KapConfig.getString("bulk_post_code_word"); private final String CODE_WORD_NAME = "__token"; private final Integer COOKIE_DEFAULT_MAX_AGE = 30; private List<CookieWrapper> cookies = new ArrayList<CookieWrapper>(); /** * Generates a set of cookies based on a Form submitted by client, * in order to bypass cross domain issues with external applications. * * In order to use it, one of the parameters should be a codeword (password). * * @return String - outcome */ @Create public void generateCookies(){ log.debug("Generating Cookies based on Params received"); HttpServletRequest request = (HttpServletRequest)this.facesContext.getExternalContext().getRequest(); Map<String, String> requestParameterMap = this.facesContext.getExternalContext().getRequestParameterMap(); if(StringUtils.equalsIgnoreCase(requestParameterMap.get(this.CODE_WORD_NAME), this.CODE_WORD_VALUE)){//Password provided for(String name : requestParameterMap.keySet()){ String value = requestParameterMap.get(name); if(!name.equalsIgnoreCase(this.CODE_WORD_NAME)){ log.info("Generating Cookie with name="+name+" and value="+value); //CookieUtil.placeCookie(name, value, COOKIE_DEFAULT_MAX_AGE); cookies.add(new CookieWrapper(name, value, COOKIE_DEFAULT_MAX_AGE)); } } }else{ log.warn("Wrong Code Word from "+request.getRemoteHost()+"/"+request.getRemoteAddr()); } } public List<CookieWrapper> getCookies(){ return this.cookies; } }

Cross Domain issue - Ajax

Who say yes???
I was working in a GUI for controlling components in different servers from one server - stopping, starting, purging queues & consumers; finally beans
The firSt thing it came to my mind was: "let's do it with AJAX to avoid multiple calls and decrease the traffic!!!"
Which AJAX framework should I choose??? Let's learn jQuery, because that one has a bunch of cool features which will be really helpfull to develop my GUI (check this site: flowplayer.org they have a bunch of demos which are really easy to follow and all based on jQuery)
My first issue was learnign that Ajax call, but after a few hours I could do my first ajax call using jQuery (I have a servlet which returns XML or JSON)

Now what??? If I'm accessing the servlet in the same context - domain, everything works fine, but... If I try to access my servlet but in another server

Tons tuve que eccharle coco
My solution was to create a ProxyServlet which basically will take my request and pass it to the remote server & servlet using an HttpClient and in the same way, it will get the response coming from the remote servlet, in other words, my ProxyServlet (in the same domain - context) will be the only one talking to my Ajax call, eventhough ProxyServlet will be talking to the remote server & servlet. Then I did it again  

This is my code:
import java.io.IOException; import java.util.HashMap; import java.util.Map; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.httpclient.DefaultHttpMethodRetryHandler; import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.HttpException; import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager; import org.apache.commons.httpclient.methods.PostMethod; import org.apache.commons.httpclient.params.HttpConnectionManagerParams; import org.apache.commons.httpclient.params.HttpMethodParams; import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; /** * ProxyServlet * Makes http request to an external resource and returns the response gotten. * This servlet is my workaround for Cross Domain (same origin policy) issue. * * @author Juan Cruz * @since Aug 11 2010 */ public class ProxyServlet extends HttpServlet { private static final Logger log = Logger.getLogger(ProxyServlet.class); private HttpClient httpClient = new HttpClient(); @Override public void init() throws ServletException { super.init(); this.initializeHttpClient(); } @Override protected void doGet(HttpServletRequest requqest, HttpServletResponse response) throws ServletException, IOException { this.doPost(requqest, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/xml"); response.setHeader("Cache-Control", "no-cache"); String server = StringUtils.trim(request.getParameter("server")); String targetServlet = StringUtils.trim(request.getParameter("targetServlet")); Map<String, String> parameters = new HashMap<String, String>(); for(Object paramName : request.getParameterMap().keySet()){//Get only String parameters if (paramName instanceof String && request.getParameter(paramName+"") instanceof String) { parameters.put(paramName+"", request.getParameter(paramName+"")); } } String result = this.sendRequest(server,targetServlet, parameters); if(result!=null){ response.getWriter().write(result); }else{ response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); } } /** * Send request to desired target * * @param server * @param targetServlet * @param parameters * @return String */ private String sendRequest(final String server, final String targetServlet, final Map<String, String> parameters) { log.debug("sendRequest "+server+targetServlet+", "+parameters); String responseBody = null; // Create a method instance. PostMethod method = new PostMethod("http://"+server+targetServlet); // Provide custom retry handler is necessary method.getParams().setParameter(HttpMethodParams.RETRY_HANDLER, new DefaultHttpMethodRetryHandler(3, false)); //add parameters for(String paramName : parameters.keySet()){ method.addParameter(paramName, parameters.get(paramName)); } try { httpClient.executeMethod(method); int statusCode = method.getStatusCode(); log.debug("HTTP status code:" +statusCode); if(statusCode==HttpServletResponse.SC_OK){ responseBody = method.getResponseBodyAsString(); }else{ log.warn(server+targetServlet+" responded with statusCode="+statusCode); } } catch (HttpException ex) { log.error("Fatal protocol violation: " + ex.getMessage(),ex); } catch (IOException ex) { log.error("Fatal transport error: " + ex.getMessage(),ex); } finally { // Release the connection. method.releaseConnection(); } return responseBody; } /** * Initialize ConnectionManager for HttpClient */ private void initializeHttpClient(){ HttpConnectionManagerParams managerParams = new HttpConnectionManagerParams(); //maximum number of connections allowed. managerParams.setMaxTotalConnections(10); managerParams.setDefaultMaxConnectionsPerHost(10); //check to see if the server closed the connection managerParams.setStaleCheckingEnabled(true); //time (ms) to wait for data after a connection is established managerParams.setSoTimeout(3000); //time (ms) to wait for a connection managerParams.setConnectionTimeout(3000); MultiThreadedHttpConnectionManager connectionManager = new MultiThreadedHttpConnectionManager(); connectionManager.setParams(managerParams); httpClient.setHttpConnectionManager(connectionManager); } }
This is my main servlet (the one which returns XML or JSON using json-simple project) import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.Set; import java.util.TreeSet; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.BooleanUtils; import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.json.simple.JSONValue; import com.vzw.common.gsbsocketapp.consumer.ActiveMQDLConsumer; import com.vzw.common.gsbsocketapp.consumer.MOMConsumer; import com.vzw.common.gsbsocketapp.util.AppContext; /** * UtilsServlet * * @author Juan Cruz * @since July 15 2010 */ public class UtilsServlet extends HttpServlet { private static final long serialVersionUID = -6124305504614666753L; private static final Logger log = Logger.getLogger(UtilsServlet.class); @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { this.doPost(request, response); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String operation = request.getParameter("operation"); String consumerName = StringUtils.trim(request.getParameter("consumerName")); String suffix = StringUtils.trim(request.getParameter("suffix")); Boolean isJsonEnabled = BooleanUtils.toBoolean(StringUtils.trim(request.getParameter("json"))); Boolean result = false; if(StringUtils.isNotEmpty(operation)){ response.setContentType("text/xml"); response.setHeader("Cache-Control", "no-cache"); if(StringUtils.equalsIgnoreCase(operation, "getBeans")){ StringBuffer sb = new StringBuffer(); List<String> listBeans = this.getBeans(suffix); for(String beanName : listBeans){ sb.append("<bean>"); sb.append(beanName); sb.append("</bean>"); } if(isJsonEnabled){ response.getWriter().write(JSONValue.toJSONString(listBeans)); }else{ response.getWriter().write("<beans>" + sb.toString() + "</beans>"); } } if(StringUtils.equalsIgnoreCase(operation, "startMOMConsumer")){ this.startMOMConsumer(consumerName); result = Boolean.TRUE; if(isJsonEnabled){ response.getWriter().write(JSONValue.toJSONString(result)); }else{ response.getWriter().write("<result>"+result+"</result>"); } } if(StringUtils.equalsIgnoreCase(operation, "stopMOMConsumer")){ this.stopMOMConsumer(consumerName); result = Boolean.TRUE; if(isJsonEnabled){ response.getWriter().write(JSONValue.toJSONString(result)); }else{ response.getWriter().write("<result>"+result+"</result>"); } } if(StringUtils.equalsIgnoreCase(operation, "isStartedMOMConsumer")){ result = this.isStartedMOMConsumer(consumerName); if(isJsonEnabled){ response.getWriter().write(JSONValue.toJSONString(result)); }else{ response.getWriter().write("<result>"+result+"</result>"); } } if(StringUtils.equalsIgnoreCase(operation, "startAllConsumers")){ this.startAllConsumers(suffix); result = Boolean.TRUE; if(isJsonEnabled){ response.getWriter().write(JSONValue.toJSONString(result)); }else{ response.getWriter().write("<result>"+result+"</result>"); } } if(StringUtils.equalsIgnoreCase(operation, "stopAllConsumers")){ this.stopAllConsumers(suffix); result = Boolean.TRUE; if(isJsonEnabled){ response.getWriter().write(JSONValue.toJSONString(result)); }else{ response.getWriter().write("<result>"+result+"</result>"); } } if(StringUtils.equalsIgnoreCase(operation, "purgeDLQConsumer")){ this.purgeConsumer(consumerName); result = Boolean.TRUE; if(isJsonEnabled){ response.getWriter().write(JSONValue.toJSONString(result)); }else{ response.getWriter().write("<result>"+result+"</result>"); } } }else{ //Nada que mostrar response.setStatus(HttpServletResponse.SC_NO_CONTENT); } } /** * Search beans on Spring ApplicationContext with given suffix * * @param suffix * @return List<String> */ private List<String> getBeans(final String suffix){ if(log.isDebugEnabled()){ log.debug("getBeans (with suffix)=" +suffix); } List<String> listBeans = new ArrayList<String>(); String[] beanDefinitionNames = AppContext.getAppContext().getBeanDefinitionNames(); Set<String> listBeansFiltered = new TreeSet<String>();//Sort them & avoid duplicates for(String beanName : beanDefinitionNames){//filter by suffix provided if(StringUtils.trim(beanName).endsWith(suffix)){ listBeansFiltered.add(beanName); } } for(String item : listBeansFiltered){ listBeans.add(item); } if(log.isDebugEnabled()){ log.debug("beans retrieved =" +listBeans.size()); } return listBeans; } /** * Start consumer given * * @param consumerBeanId */ @SuppressWarnings("unchecked") private void startMOMConsumer(final String consumerBeanId){ if(log.isDebugEnabled()){ log.debug("startMOMConsumer beanId=" +consumerBeanId); } List<MOMConsumer>momConsumers = (List<MOMConsumer>)AppContext.getAppContext().getBean(consumerBeanId); for (MOMConsumer momConsumer : momConsumers) { if(!momConsumer.isStarted()){//start if is not started momConsumer.execute(); } } if(log.isDebugEnabled()){ log.debug(consumerBeanId+" started"); } } /** * Call execute method on given consumer * * @param consumerBeanId */ private void purgeConsumer(String consumerBeanId) { if(log.isDebugEnabled()){ log.debug("purgeConsumer beanId=" +consumerBeanId); } ActiveMQDLConsumer activeMQDLConsumer = (ActiveMQDLConsumer)AppContext.getAppContext().getBean(consumerBeanId); activeMQDLConsumer.execute(); if(log.isDebugEnabled()){ log.debug(consumerBeanId+" purged"); } } /** * Stop consumer given * * @param consumerBeanId */ @SuppressWarnings("unchecked") private void stopMOMConsumer(final String consumerBeanId){ if(log.isDebugEnabled()){ log.debug("stopMOMConsumer beanId=" +consumerBeanId); } List<MOMConsumer> momConsumers = (List<MOMConsumer>)AppContext.getAppContext().getBean(consumerBeanId); for (MOMConsumer momConsumer : momConsumers) { momConsumer.stop(); } if(log.isDebugEnabled()){ log.debug(consumerBeanId+" stopped"); } } /** * Verify state of given consumer - bean * * @param consumerBeanId * @return boolean */ @SuppressWarnings("unchecked") private boolean isStartedMOMConsumer(final String consumerBeanId){ boolean started = false; List<MOMConsumer> momConsumers = (List<MOMConsumer>)AppContext.getAppContext().getBean(consumerBeanId); for (MOMConsumer momConsumer : momConsumers) { started = momConsumer.isStarted(); } if(log.isDebugEnabled()){ log.debug("isStarted beanId=" +consumerBeanId+"?"+started); } return started; } /** * Start all consumers with given suffix * * @param suffix */ @SuppressWarnings("unchecked") private void startAllConsumers(final String suffix){ if(log.isDebugEnabled()){ log.debug("startAllConsumer suffix=" +suffix); } List<String> listBeans = this.getBeans(suffix); for(String consumerBeanId: listBeans){ List<MOMConsumer> momConsumers = (List<MOMConsumer>)AppContext.getAppContext().getBean(consumerBeanId); for (MOMConsumer momConsumer : momConsumers) { momConsumer.execute(); } } if(log.isDebugEnabled()){ log.debug(listBeans.size()+" beans started"); } } /** * Stop all consumers with given suffix * * @param suffix */ @SuppressWarnings("unchecked") private void stopAllConsumers(final String suffix){ if(log.isDebugEnabled()){ log.debug("stopAllConsumers suffix=" +suffix); } List<String> listBeans = this.getBeans(suffix); for(String consumerBeanId: listBeans){ List<MOMConsumer> momConsumers = (List<MOMConsumer>)AppContext.getAppContext().getBean(consumerBeanId); for (MOMConsumer momConsumer : momConsumers) { momConsumer.stop(); } } if(log.isDebugEnabled()){ log.debug(listBeans.size()+" beans stopped"); } } }

And this now, these are portions of my jQuery code:
var jsArray = new Array(); function parseXmlResponse(xml) { $(xml).find("bean").each(function(index) { jsArray.push($(this).text()); }); } function executeAjaxCallWithXML(){ $.ajax({ type: 'POST', url: 'http://'+server+'/GSBSocketAppWeb/proxyServlet', data: "operation="+operation+"&suffix="+suffix+"&server="+server+"&targetServlet=/GSBSocketAppWeb/utilsServlet", dataType: "xml", success: parseXmlResponse, async: false, error: function(xmlHttpRequest, textStatus, errorThrown){ alert(textStatus+", code: "+xmlHttpRequest.status); jsArray = new Array(); } }); } function executePostCallWithJson(){ $.post('http://'+server+'/GSBSocketAppWeb/proxyServlet?operation='+operation+'&suffix='+suffix+'&json=true&server='+server+'&targetServlet=/GSBSocketAppWeb/utilsServlet',function(data, textStatus){ // this will give us an array of objects var arrayItems = JSON.parse(data); for(var x=0; x < arrayItems.length; x++) { jsArrayBrowsers.push(arrayItems[x]); } }, 'text'); } function executeAjaxCallwithJson(){ //We can use .ajax or .get / .post $.ajax({ type: 'POST', url: 'http://'+server+'/GSBSocketAppWeb/proxyServlet', data: "operation="+operation+"&consumerName="+consumerName+"&json=true&server="+server+"&targetServlet=/GSBSocketAppWeb/utilsServlet", dataType: "json", success: function(data, textStatus){ if(data){ alert(consumerName+' was purged successfully'); button.value = 'Purged'; } }, error: function(xmlHttpRequest, textStatus){ alert(textStatus+", code: "+xmlHttpRequest.status); jsArrayBrowsers = new Array(); } }); }

You can get the additional JavaScript libraries from: JSON2 and my version of jQuery Tools