Web DevCenter
oreilly.comSafari Books Online.Conferences.
MySQL Conference and Expo April 14-17, 2008, Santa Clara, CA

Sponsored Developer Resources

Web Columns
Adobe GoLive
Essential JavaScript

Web Topics
All Articles
Scripting Languages

Atom 1.0 Feed RSS 1.0 Feed RSS 2.0 Feed

Learning Lab

Web Privacy with P3P

Help! IE6 Is Blocking My Cookies

by Lorrie Faith Cranor, author of Web Privacy with P3P

I regularly hear from Web site developers who have added a new cookie-enabled feature to their site only to discover that visitors using the Microsoft Internet Explorer 6 (IE6) Web browser are unable to use it. After a little investigation, they discover the problem has something to do with cookies and a new W3C Recommendation called P3P. "What is P3P?" they ask. "What does it have to do with my cookies? And how can I stop IE6 from blocking them?" The answers to all of these questions and more can be found in my new book, Web Privacy with P3P. In this article, I will give you a quick introduction to P3P and an overview of what you need to do to prevent IE6 from blocking your cookies.

What is P3P?

The full name for P3P is the Platform for Privacy Preferences Project. P3P 1.0 is an official "recommendation" of the World Wide Web Consortium (W3C) that was approved in April 2002. P3P provides a standard way for Web sites to encode their privacy policies in a computer-readable XML format. This allows P3P-enabled Web browsers and other P3P user agents to fetch P3P privacy policies automatically, parse them, and compare them with a user's privacy preferences. P3P user agents can use the information in a P3P policy to provide a summarized version of Web site privacy policies to users. For example, IE6 offers a Privacy Report option from the View menu, and Netscape 7 includes a Privacy Summary button on its Page Info screen. The AT&T Privacy Bird is a free Internet Explorer add-on that puts a bird icon in the corner of a user's browser window. The bird changes color to indicate whether or not a site's P3P policy matches the user's preferences. Users can also click on the bird to get a summary of a site's privacy policy.

The P3P 1.0 Specification also defines an abbreviated version of a P3P policy, called a "compact policy," that can be transmitted in HTTP headers when cookies are set. Some P3P-enabled browsers, such as IE6, use the information in P3P compact policies to make cookie-blocking decisions.

Related Reading

Web Privacy with P3P
By Lorrie Faith Cranor

Many of the Web's most popular sites have adopted P3P. Early adopters of P3P include information sites, such as About.com; search engines, such as Yahoo and Lycos; advertising networks, such as DoubleClick and Avenue A; travel agencies, such as Expedia; and telecommunications companies, such as AT&T.

Why Does IE6 Block My Cookies?

IE6 includes privacy features that can be used to selectively block cookies based on their P3P compact policies. For detailed information about these features, see Privacy in Internet Explorer 6 on MSDN (reproduced as Appendix C in Web Privacy with P3P). In the default IE6 settings, which most users never change, third-party cookies are blocked when they do not have compact policies or when they have "unsatisfactory" compact policies. Most sites that are experiencing cookie-blocking problems have third-party cookies on their site that do not have P3P compact policies.

What are Third-Party Cookies?

Cookies are associated with a Web page or with an image or other object embedded in a Web page. When a page or object is served, the server adds a special header that "sets" the cookie on the user's machine. Sometimes, Web pages include images, frames, or other content that is located on a site with a different domain name than the page in which it is embedded. For example, it is quite common for Web sites to embed banner advertisements that are served by an ad company. If any of these "third-party" images or objects set cookies, than they are referred to as third-party cookies.

Sometimes the domain from which a third-party cookie is set is owned by the same company as the Web page it which it is embedded. For example, a Web page at http://example.com/ might include an image and cookie from http://example.org/. However, IE6 does not know which sites are really related, so any cookie from a different domain than the site in which it is embedded is considered a third-party cookie.

Some cookie-blocking problems occur when a site is framed by another site. For example, a CD store that is part of an online shopping portal may appear in a frame provided by the portal. From the perspective of the browser, the CD store content may appear to be third-party content when framed by the portal. However, if a visitor goes directly to the CD store without going through the portal, the content will be first-party content. Thus, the CD store will find their cookies are blocked only when visitors come in through the portal. Web-based mail systems also cause a similar problem. If a Web site visitor emails a Web page to a friend who uses a Web-based mail system, the email message will appear as third-party content to the friend's browser, because it is framed by the email system. If there are any cookies associated with the page that was emailed, they will be treated as third-party cookies by IE6.

How Can I Prevent IE6 from Blocking My Cookies?

To prevent IE6 from blocking cookies on your site, you need to make sure that all of the cookies that are being set in a third-party context have P3P compact policies associated with them, and that those compact policies are considered satisfactory by IE6. If the third-party cookies are being set by another company, you may need to ask them to P3P-enable and set P3P compact policies. Any host that sets a P3P compact policy must also have a corresponding full P3P policy. Users can change their IE6 settings so that cookies will be blocked under other conditions as well; however, placing satisfactory compact policies on third-party cookies will prevent most IE6 cookie blocking.

Unsatisfactory cookies are basically cookies with a P3P compact policy that indicates that the cookie may be associated with personally-identifiable information that may be shared with other companies, used for marketing, used for profiling, or used for unknown purposes -- without giving the user the option of opting out. There is a detailed explanation of satisfactory and unsatisfactory cookies in my book and on the Microsoft Web site referenced above.

Pages: 1, 2

Next Pagearrow