Monthly Archives: September 2011

IE Bug – iframe Cookies Blocked

Posted on by

At Hope College we use Google Apps and it’s great. Especially the Forms in Google Docs. Create the form using an editor, they give you a snippet of code to include in your web page, and bam! Your form is web 2.0 and the data conveniently gets saved into a spreadsheet.

But what if you want the form to be private? No problem. Specify who can access it from your domain and require authentication. Easy enough.

There’s just one problem – Internet Explorer refuses to load the page after sign in, saying “Internet Explorer cannot display the webpage.” All hopes and dreams of easy forms are now shattered. Well it turns out that IE’s overzealous security blocks third party cookies from within an iframe, and yup, you guessed it, the Google Form loads within an iframe.

There are several workarounds, but unfortunately none are ideal:

  1. Add google.com to the list of accepted sites in IE’s security settings for every user using the form. Not realistic.
  2. Just point directly to the form instead of using the iframe to load it within another page. Not always ideal.
  3. Use any other browser in the world. Sure, tell that the millions of people who think Internet Explorer is the Internet. But if your audience is limited to a small group of people, this is possible.
  4. Security through obscurity. Don’t link to the form’s page anywhere on the web. Not a bad idea. For a while. Eventually, though, someone might link to it and a spammer will find it.
  5. Make the form public and do not require sign-in, but lock down the webpage or directory using another authentication mechanism. If your organization uses a single sign-on like Hope College does, with an LDAP server or similar that integrates with Google Apps, this is not a bad option.

The last two solutions are the most consistent means of providing secure access, but still, these methods make the form anonymous. One of the advantages of requiring a sign-on is to track who submitted it. Requiring a name field is fine as long as no one maliciously lies about their identity.

If anyone has a better solution, I’d love to hear it. For me, Google Forms is still one of those not totally usable features of Google Apps.