Web DevCenter    
 Published on Web DevCenter (http://www.oreillynet.com/javascript/)
 See this if you're having trouble printing code examples

Web Privacy with P3P

Help! IE6 Is Blocking My Cookies

by Lorrie Faith Cranor, author of Web Privacy with P3P

I regularly hear from Web site developers who have added a new cookie-enabled feature to their site only to discover that visitors using the Microsoft Internet Explorer 6 (IE6) Web browser are unable to use it. After a little investigation, they discover the problem has something to do with cookies and a new W3C Recommendation called P3P. "What is P3P?" they ask. "What does it have to do with my cookies? And how can I stop IE6 from blocking them?" The answers to all of these questions and more can be found in my new book, Web Privacy with P3P. In this article, I will give you a quick introduction to P3P and an overview of what you need to do to prevent IE6 from blocking your cookies.

What is P3P?

The full name for P3P is the Platform for Privacy Preferences Project. P3P 1.0 is an official "recommendation" of the World Wide Web Consortium (W3C) that was approved in April 2002. P3P provides a standard way for Web sites to encode their privacy policies in a computer-readable XML format. This allows P3P-enabled Web browsers and other P3P user agents to fetch P3P privacy policies automatically, parse them, and compare them with a user's privacy preferences. P3P user agents can use the information in a P3P policy to provide a summarized version of Web site privacy policies to users. For example, IE6 offers a Privacy Report option from the View menu, and Netscape 7 includes a Privacy Summary button on its Page Info screen. The AT&T Privacy Bird is a free Internet Explorer add-on that puts a bird icon in the corner of a user's browser window. The bird changes color to indicate whether or not a site's P3P policy matches the user's preferences. Users can also click on the bird to get a summary of a site's privacy policy.

The P3P 1.0 Specification also defines an abbreviated version of a P3P policy, called a "compact policy," that can be transmitted in HTTP headers when cookies are set. Some P3P-enabled browsers, such as IE6, use the information in P3P compact policies to make cookie-blocking decisions.

Related Reading

Web Privacy with P3P
By Lorrie Faith Cranor

Many of the Web's most popular sites have adopted P3P. Early adopters of P3P include information sites, such as About.com; search engines, such as Yahoo and Lycos; advertising networks, such as DoubleClick and Avenue A; travel agencies, such as Expedia; and telecommunications companies, such as AT&T.

Why Does IE6 Block My Cookies?

IE6 includes privacy features that can be used to selectively block cookies based on their P3P compact policies. For detailed information about these features, see Privacy in Internet Explorer 6 on MSDN (reproduced as Appendix C in Web Privacy with P3P). In the default IE6 settings, which most users never change, third-party cookies are blocked when they do not have compact policies or when they have "unsatisfactory" compact policies. Most sites that are experiencing cookie-blocking problems have third-party cookies on their site that do not have P3P compact policies.

What are Third-Party Cookies?

Cookies are associated with a Web page or with an image or other object embedded in a Web page. When a page or object is served, the server adds a special header that "sets" the cookie on the user's machine. Sometimes, Web pages include images, frames, or other content that is located on a site with a different domain name than the page in which it is embedded. For example, it is quite common for Web sites to embed banner advertisements that are served by an ad company. If any of these "third-party" images or objects set cookies, than they are referred to as third-party cookies.

Sometimes the domain from which a third-party cookie is set is owned by the same company as the Web page it which it is embedded. For example, a Web page at http://example.com/ might include an image and cookie from http://example.org/. However, IE6 does not know which sites are really related, so any cookie from a different domain than the site in which it is embedded is considered a third-party cookie.

Some cookie-blocking problems occur when a site is framed by another site. For example, a CD store that is part of an online shopping portal may appear in a frame provided by the portal. From the perspective of the browser, the CD store content may appear to be third-party content when framed by the portal. However, if a visitor goes directly to the CD store without going through the portal, the content will be first-party content. Thus, the CD store will find their cookies are blocked only when visitors come in through the portal. Web-based mail systems also cause a similar problem. If a Web site visitor emails a Web page to a friend who uses a Web-based mail system, the email message will appear as third-party content to the friend's browser, because it is framed by the email system. If there are any cookies associated with the page that was emailed, they will be treated as third-party cookies by IE6.

How Can I Prevent IE6 from Blocking My Cookies?

To prevent IE6 from blocking cookies on your site, you need to make sure that all of the cookies that are being set in a third-party context have P3P compact policies associated with them, and that those compact policies are considered satisfactory by IE6. If the third-party cookies are being set by another company, you may need to ask them to P3P-enable and set P3P compact policies. Any host that sets a P3P compact policy must also have a corresponding full P3P policy. Users can change their IE6 settings so that cookies will be blocked under other conditions as well; however, placing satisfactory compact policies on third-party cookies will prevent most IE6 cookie blocking.

Unsatisfactory cookies are basically cookies with a P3P compact policy that indicates that the cookie may be associated with personally-identifiable information that may be shared with other companies, used for marketing, used for profiling, or used for unknown purposes -- without giving the user the option of opting out. There is a detailed explanation of satisfactory and unsatisfactory cookies in my book and on the Microsoft Web site referenced above.

How Do I P3P Enable My Web Site and Use Compact Policies?

P3P-enabling a site need not be difficult, time consuming, or expensive. A small site that has an existing privacy policy may be able to get P3P-enabled within a few hours. However, I know from experience that P3P enabling a site for a multi-national company that has dozens, or even hundreds, of Web servers for many different business units located around the world can be a challenge. Fortunately, the task can be accomplished incrementally, and P3P can be rolled out one server at a time, if need be.

In Web Privacy with P3P I describe the process of P3P-enabling a Web site in seven steps. Here is a summary of this process:

  1. Hopefully, your site already has a privacy policy. If not, you need to create one. This is not only essential for using P3P, but also good business practice. Chapter 5, "Overview and Options," of Web Privacy with P3P includes some tips on writing a privacy policy and links to online resources that you may find helpful.

  2. Once you have created a privacy policy, you will need to analyze the use of cookies and third-party content on your site. Privacy policies describe the kinds of data a company may collect, but they generally do not go into much detail about the ways in which cookies are used. Cookies can enable otherwise non-identifiable data to be linked to identifiable data, sometimes unintentionally. They may also enable data to be shared in unanticipated ways. It is important to analyze how cookies are used on your Web site and how they interact with other cookies and with HTML forms. It is also important to identify cookies that may be treated as third-party cookies.

  3. Next, determine whether you want to have one P3P policy for your entire site or different P3P policies for different parts of your site. If you already have multiple privacy policies for your site, then you will probably want to have multiple P3P policies as well. For example, some sites have different policies associated with different types of services they offer. Even if you have a single, comprehensive policy for your entire site, you may want to have multiple P3P policies. For example, your site's privacy policy might include a statement like "We do not collect personally identifiable information from visitors except when they fill out a form to order a product from us." You might wish to create two P3P policies -- one for use on most of your site where there are no forms, and the other for use specifically on the parts of the site where visitors fill out forms to order products.

  4. Create a P3P policy (or policies) and compact policy for your site. You can use one of the P3P policy-generator tools listed at http://www.w3.org/P3P/ to easily create a P3P policy and compact policy without having to learn XML. My personal favorite is the P3P Policy Editor from IBM, which is available as a free download. Chapter 7, "Creating P3P Policies," of Web Privacy with P3P includes step-by-step instructions for using the P3P Policy Editor.

  5. Create a policy reference file for your site. Most of the policy generator tools will help you create a policy reference file. This file lists all of the P3P policies on your site and the parts of your site to which they apply. In most circumstances, you will have just one policy reference file for your entire site.

  6. Configure your server for P3P. On most sites, this can be done by simply placing the P3P policy and policy reference files on the Web server in the proper locations. (Usually, the proper location for the policy reference files is /w3c/p3p.xml -- which is known as the "well-known location.") However, due to the way some sites are set up, they may find it advantageous to configure their servers to send a special P3P header with every HTTP response. Some sites may find it useful to add special P3P LINK tags to their HTML content. Sites with third-party cookies (and some sites with first-party cookies) will also want to configure their servers to add P3P compact policies to their HTTP set-cookie responses. Appendix B of my book provides instructions for configuring several popular Web servers to do this. This information is also available online.

  7. Test your site to make sure it is properly P3P enabled. The W3C P3P Validator can be used to test your site and report back a list of any problems it finds. Of course, this tool cannot verify that your P3P policy matches your privacy policy, or that either policy conforms with your actual practices. But it can make sure that your policy and policy reference files are syntactically correct and that you've configured everything properly. This tool can also be used to verify that your server is issuing P3P compact policies when it sets cookies. You can try the W3C P3P Validator.

Some Web developers have told me that they found P3P policies and compact policies on random Web sites and copied them onto their own sites in order to quickly P3P-enable. This is a very bad idea! P3P policies are similar to contracts. They make statements about Web site privacy policies that must be consistent with the site's human-readable privacy policy, as well as the site's actual practices. You may want to review other Web sites' P3P policies to better understand P3P, or take a look at the examples in my book, but make sure the policies you post represent your site's actual practices!

I P3P-Enabled My Site, But My Cookies are Still Being Blocked by IE6

There are several reasons why this may happen. It may take a little detective work to solve the problem, but usually it is solvable.

Most often, the problem is that the Web server is not actually issuing the P3P compact policy with the set-cookie responses. In some cases, it may be issuing the compact policy with some set-cookie responses, but not with others. You can use the W3C P3P Validator to check whether the compact policy is being issued. Fixing this problem depends on your particular server and how the cookie is being set.

Sometimes the problem is that the compact policy is not syntactically correct. This is easily checked with the W3C P3P Validator.

In other cases, the compact policy is correct, but it does not meet IE6's qualifications as a satisfactory policy. The P3P Policy Editor provides information about whether a compact policy is considered satisfactory. Some of the Web-based compact policy tools listed on the W3C Web site also provide this information. If your compact policy is not satisfactory, you may need to change your site's data practices. Generally, this involves providing a way for users to opt out of having their data used in certain ways. Sometimes cookies are blocked only when users change the IE6 default cookie settings. In this case, a user has selected more stringent criteria for cookie blocking. Again, you can change your practices to meet these criteria. However, this is not always possible. You should make sure your applications at least fail gracefully in cases where your cookies are blocked. Ideally, your applications will be able to operate (at least partially) without cookies, or they will notify the user that cookies are required and provide instructions for overriding the blocking.

I have seen a few cases where P3P-enabling a site solves the cookie-blocking problem, but the developer who is testing the site doesn't realize this, because their browser has stored old cookies that are still being blocked. If all else fails, try removing your site's cookies from your computer (or even deleting all of your cookies) and restarting your browser to see whether the new cookies are still being blocked.

My Cookies aren't being Blocked, But Users are Not Able to View an IE6 Privacy Report for My Site

Usually this occurs when a site has not been properly P3P-enabled. In order for a privacy report to display the site must be properly P3P-enabled with a full P3P policy and policy reference file. The first thing you should do is use the W3C Validator to make sure there are no syntax errors in these files and verify that they have been placed in the proper location on your Web server. If the Privacy Report is available from some pages on your site but not others, then you probably have a problem with your policy reference file. Chapter 8, "Creating and Referencing Policy Reference Files," of Web Privacy with P3P gives detailed information about policy reference files.

Producer's Note: We have recently P3P-enabled the oreilly.com and oreillynet.com sites. I encourage you to use our policy as an example when creating your own, while also heeding Lorrie's advice that your P3P privacy policy, your site's human-readable privacy policy, and your site's actual practices are all consistent (I found that to be the most difficult part of the process).

O'Reilly & Associates recently released (September 2002) Web Privacy with P3P.

Lorrie Faith Cranor is an Associate Research Professor in the School of Computer Science and in the Engineering and Public Policy Department at Carnegie Mellon University. She is director of the CMU Usable Privacy and Security Laboratory (CUPS). She came to CMU in December 2003 after seven years at AT&T Labs-Research.

Return to the Web Development DevCenter.

Copyright © 2009 O'Reilly Media, Inc.