Cookies and iframes, how to deal with them?

The other day I discovered that iexplorer is not accepting cookies from an iframe unless the iframe provides P3P authorization. At first, I was like "WTF?", but today I was wondering about the bad things that could happen.

For example, I have a website named herp.com, where you can delete a product with http://herp.com/product/111/delete (I know this is a bad practice, GET should be indepotent). Then a malicious webmaster creat开发者_如何学编程es a web in http://derp.com with an iframe to http://herp.com/product/111/delete, so... if I, as logged user in herp.com, open derp.com with my browser... will I delete the product 111?

Which more issues should I be afraid of?

Thanks in advance.

You should be more afraid of your http GET causing a delete. The scenario you are describing is not much different than throwing a redirect on a page from derp.com to herp.com/product/111/delete. In either scenario, the user will unknowingly load herp.com, and the browser will automatically supply any cookies for that site.