Help! IE6 Is Blocking My Cookiesby Lorrie Faith Cranor, author of Web Privacy with P3P
I regularly hear from Web site developers who have added a new cookie-enabled feature to their site only to discover that visitors using the Microsoft Internet Explorer 6 (IE6) Web browser are unable to use it. After a little investigation, they discover the problem has something to do with cookies and a new W3C Recommendation called P3P. "What is P3P?" they ask. "What does it have to do with my cookies? And how can I stop IE6 from blocking them?" The answers to all of these questions and more can be found in my new book, Web Privacy with P3P. In this article, I will give you a quick introduction to P3P and an overview of what you need to do to prevent IE6 from blocking your cookies.
The P3P 1.0 Specification also defines an abbreviated version of a P3P policy, called a "compact policy," that can be transmitted in HTTP headers when cookies are set. Some P3P-enabled browsers, such as IE6, use the information in P3P compact policies to make cookie-blocking decisions.
Many of the Web's most popular sites have adopted P3P. Early adopters of P3P include information sites, such as About.com; search engines, such as Yahoo and Lycos; advertising networks, such as DoubleClick and Avenue A; travel agencies, such as Expedia; and telecommunications companies, such as AT&T.
IE6 includes privacy features that can be used to selectively block cookies based on their P3P compact policies. For detailed information about these features, see Privacy in Internet Explorer 6 on MSDN (reproduced as Appendix C in Web Privacy with P3P). In the default IE6 settings, which most users never change, third-party cookies are blocked when they do not have compact policies or when they have "unsatisfactory" compact policies. Most sites that are experiencing cookie-blocking problems have third-party cookies on their site that do not have P3P compact policies.
Cookies are associated with a Web page or with an image or other object embedded in a Web page. When a page or object is served, the server adds a special header that "sets" the cookie on the user's machine. Sometimes, Web pages include images, frames, or other content that is located on a site with a different domain name than the page in which it is embedded. For example, it is quite common for Web sites to embed banner advertisements that are served by an ad company. If any of these "third-party" images or objects set cookies, than they are referred to as third-party cookies.
Sometimes the domain from which a third-party cookie is set is owned by the same company as the Web page it which it is embedded. For example, a Web page at http://example.com/ might include an image and cookie from http://example.org/. However, IE6 does not know which sites are really related, so any cookie from a different domain than the site in which it is embedded is considered a third-party cookie.
Some cookie-blocking problems occur when a site is framed by another site. For example, a CD store that is part of an online shopping portal may appear in a frame provided by the portal. From the perspective of the browser, the CD store content may appear to be third-party content when framed by the portal. However, if a visitor goes directly to the CD store without going through the portal, the content will be first-party content. Thus, the CD store will find their cookies are blocked only when visitors come in through the portal. Web-based mail systems also cause a similar problem. If a Web site visitor emails a Web page to a friend who uses a Web-based mail system, the email message will appear as third-party content to the friend's browser, because it is framed by the email system. If there are any cookies associated with the page that was emailed, they will be treated as third-party cookies by IE6.
To prevent IE6 from blocking cookies on your site, you need to make sure that all of the cookies that are being set in a third-party context have P3P compact policies associated with them, and that those compact policies are considered satisfactory by IE6. If the third-party cookies are being set by another company, you may need to ask them to P3P-enable and set P3P compact policies. Any host that sets a P3P compact policy must also have a corresponding full P3P policy. Users can change their IE6 settings so that cookies will be blocked under other conditions as well; however, placing satisfactory compact policies on third-party cookies will prevent most IE6 cookie blocking.
Unsatisfactory cookies are basically cookies with a P3P compact policy that indicates that the cookie may be associated with personally-identifiable information that may be shared with other companies, used for marketing, used for profiling, or used for unknown purposes -- without giving the user the option of opting out. There is a detailed explanation of satisfactory and unsatisfactory cookies in my book and on the Microsoft Web site referenced above.
In Web Privacy with P3P I describe the process of P3P-enabling a Web site in seven steps. Here is a summary of this process:
Create a P3P policy (or policies) and compact policy for your site. You can use one of the P3P policy-generator tools listed at http://www.w3.org/P3P/ to easily create a P3P policy and compact policy without having to learn XML. My personal favorite is the P3P Policy Editor from IBM, which is available as a free download. Chapter 7, "Creating P3P Policies," of Web Privacy with P3P includes step-by-step instructions for using the P3P Policy Editor.
Create a policy reference file for your site. Most of the policy generator tools will help you create a policy reference file. This file lists all of the P3P policies on your site and the parts of your site to which they apply. In most circumstances, you will have just one policy reference file for your entire site.
Configure your server for P3P. On most sites, this can be done by simply placing the
P3P policy and policy reference files on the Web server in the proper locations. (Usually,
the proper location for the policy reference files is /w3c/p3p.xml -- which is known as the
"well-known location.") However, due to the way some sites are set up, they may find it
advantageous to configure their servers to send a special P3P header with every HTTP
response. Some sites may find it useful to add special P3P
LINK tags to their HTML
content. Sites with third-party cookies (and some sites with first-party cookies) will also
want to configure their servers to add P3P compact policies to their HTTP set-cookie
responses. Appendix B of my book provides instructions for configuring several popular
Web servers to do this. This information is also available online.
There are several reasons why this may happen. It may take a little detective work to solve the problem, but usually it is solvable.
Most often, the problem is that the Web server is not actually issuing the P3P compact policy with the set-cookie responses. In some cases, it may be issuing the compact policy with some set-cookie responses, but not with others. You can use the W3C P3P Validator to check whether the compact policy is being issued. Fixing this problem depends on your particular server and how the cookie is being set.
Sometimes the problem is that the compact policy is not syntactically correct. This is easily checked with the W3C P3P Validator.
In other cases, the compact policy is correct, but it does not meet IE6's qualifications as a satisfactory policy. The P3P Policy Editor provides information about whether a compact policy is considered satisfactory. Some of the Web-based compact policy tools listed on the W3C Web site also provide this information. If your compact policy is not satisfactory, you may need to change your site's data practices. Generally, this involves providing a way for users to opt out of having their data used in certain ways. Sometimes cookies are blocked only when users change the IE6 default cookie settings. In this case, a user has selected more stringent criteria for cookie blocking. Again, you can change your practices to meet these criteria. However, this is not always possible. You should make sure your applications at least fail gracefully in cases where your cookies are blocked. Ideally, your applications will be able to operate (at least partially) without cookies, or they will notify the user that cookies are required and provide instructions for overriding the blocking.
I have seen a few cases where P3P-enabling a site solves the cookie-blocking problem, but the developer who is testing the site doesn't realize this, because their browser has stored old cookies that are still being blocked. If all else fails, try removing your site's cookies from your computer (or even deleting all of your cookies) and restarting your browser to see whether the new cookies are still being blocked.
Usually this occurs when a site has not been properly P3P-enabled. In order for a privacy report to display the site must be properly P3P-enabled with a full P3P policy and policy reference file. The first thing you should do is use the W3C Validator to make sure there are no syntax errors in these files and verify that they have been placed in the proper location on your Web server. If the Privacy Report is available from some pages on your site but not others, then you probably have a problem with your policy reference file. Chapter 8, "Creating and Referencing Policy Reference Files," of Web Privacy with P3P gives detailed information about policy reference files.
O'Reilly & Associates recently released (September 2002) Web Privacy with P3P.
Sample Chapter 1, Introduction to P3P, is available free online.
For more information, or to order the book, click here.
You can also check out the Author's Web Site for the book.
Lorrie Faith Cranor is an Associate Research Professor in the School of Computer Science and in the Engineering and Public Policy Department at Carnegie Mellon University. She is director of the CMU Usable Privacy and Security Laboratory (CUPS). She came to CMU in December 2003 after seven years at AT&T Labs-Research.
Return to the Web Development DevCenter.
Copyright © 2009 O'Reilly Media, Inc.