Stupid IE6 and its iframe cookie idiocy needs a throat punch

F--- you, IE 6…so let’s say you have a site, that has two versions, a.throat-punch.com and b.throat-punch.com. And Apache uses a cookie to determine which version you should be viewing, and sends a 302 redirect if you’re on the wrong domain.

Now let’s say you want to access a page on this site from an <iframe> from an external domain, say www.whowantsathroatpunch.com. Stupid IE6 will not send the right cookies in the request headers. In fact, I’m pretty sure it will send no cookies. Why? Because it’s a dick. Every Other Browser does this correctly. It’s not a security issue -it’s not like you’re asking IE6 to send cookies that belong to another domain, or to teach our nation’s children to read or anything. You’re asking the browser for the cookies that have been previously set, and IE6 in its infinite dick-kickery is failing in that basic respect.

What really gets my goat is that, whereas the iframe will not get its cookies, if you make the src of the iframe do an AJAX request to another page on the site, that request will get its cookies sent correctly.

The workaround I found is to give the <iframe> src a new page if the browser is IE6, and on that new page, make an AJAX request to another new page that outputs the value of the cookie you’re looking for. When you receive the AJAX request, you can then parse the response and redircet the user to the now-corrected original <iframe> src. It’s stupid and inefficient, I know:

<script type="text/javascript">
	// note: this page only called from IE6, so no browser testing 
	// or compatibility checks are needed. I'm rocking the prototype.js for
	// the ajax, you do what you like.

	function editionTest() {
		var test_url = '/cookie_tester.php';
		var domain = new Ajax.Request(test_url, {
    		onSuccess: function(transport){
				var response = transport.responseText;
				if (response.search('site_a') > -1) {
				} else if (response.search('site_b') > -1) {
				} else {
			onFailure: function() {

	function redirector(domain) {
		var url = parseUrl();
		var id = url['id'];
		var var = url['var'];		
		var domain_parsed = 'http://' + domain + '.throat-punch.com/page_you_really_wanted.php?id=' + id + '&var1=' + var1;
		window.location = domain_parsed;

	function parseUrl() {
		var hash = {};
		var url = String(document.location).split('?');
		if (url[1]) {
			var vars= url[1].split('&');
			var ct = vars.length;
			for (var i=0; i<ct; i++) {
				var item = vars[i].split('=');
				var name = item[0];
				var value = item[1];
				hash[name] = value;
		return hash;

Event.observe(window, 'load', function() {

I’m writing this post solely for google to pick it up, just in case anyone ever is in this position again. So, dude who googled “ie6 cookies iframe 302 throat punch”, this one’s for you.

(thanks to celebdu for the photo)


tags: , , , , , , , , ,
posted in ajax, coding, rant by chip

Follow comments via the RSS Feed | Leave a comment

7 Comments to "Stupid IE6 and its iframe cookie idiocy needs a throat punch"

  1. Patrick M wrote:

    I googled “teach our nation’s children basic dick-kickery”.

    I want my son to learn karate

  2. chip wrote:

    Thankfully, I am the one-stop shop on the Net for all your Children’s Basic dick-kickery needs! I show up first in the google search! Maybe I should change the site slogan…

  3. Violeta wrote:

    You are the best!
    I had to make a website in wich to include an iframe of an website.. I didn’t had access to that site to set header p3p/CP=”IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT” (another way to fuck ie6..ie7 and it’s privacy shit) soooo..
    You are the prince that saved me!
    regards, very good article!

  4. Trinidad and Tobago wrote:

    Oh my, and I was testing loads of cpa offers using Iframes.

  5. Iczillion wrote:

    May be that’s what’s gone wrong?


  6. chip wrote:

    Yes, Iczillion, that’s it as well. My problem was to get around it without modifying the P3P headers (in a large-enough site, what P3P headers to send out is a matter for the legal department, not the web developers)

  7. ppitalk.com wrote:

    I do agree with all of the concepts you’ve introduced on your post. They are really convincing and will certainly work. Nonetheless, the posts are too short for starters. May just you please extend them a little from subsequent time? Thanks for the post.

Leave Your Comment


Powered by Wordpress and MySQL. Theme by openark.org