Tricky issue with the above 4 in one app...
IE was blocking a session cookie from my ASP.Net MVC web application when hosted in the Facebook IFRAME. The anti-forgery token in ASP.Net (used to protected against spoof form posts known as CSRF attacks) would fail saying the cookie it was checking against couldn't be found.
To resolve I needed two things:
1) an XML file located at /w3c/p3p.xml containing
<META xmlns="http://www.w3.org/2002/01/P3Pv1"> <POLICY-REFERENCES> <EXPIRY max-age="10000000"/> </POLICY-REFERENCES> </META>
2) and a header emitted (in server side code, the meta tag equivalent didn't seem to suffice)
Response.AppendHeader("P3P", "CP='IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA'");