Do Flash and IE play nicely with HTTP cookies?

We're developing a Flex-based component that's going to be hosted inside another company's product. Due to the nature of their hosting environment, the Flash movie will run in its own <iframe> tag.

The Flex app calls out to our REST services via HTTPS, and authenticates with an HTTP cookie. This works beautifully in Chrome, Firefox, Safari... everything except IE. I compared requests from Chrome and IE using Fiddler, and noticed that they are identical, save f开发者_C百科or the HTTP Cookies. IE omits several, including the one used for authentication.

Can anyone shed some light on why this might be the case?

Thanks much.

So as it happens, the issue is certainly IE's security policies. By default, IE will refuse to send cross-domain cookies. In a nutshell, this means that the only domain that IE will set cookies for is the one in the address bar.

Unless, of course, the third-party domain includes a "P3P" header in the response that sets the cookie(s). The presence of this header seems to persuade IE to behave as expected.

After including P3P: CP="CAO PSA OUR" in the responses from our authentication page, everything functions as expected.