16 Jan 2008

P3P so IE6+ Won't Drop Your Cookies

Yesterday, my primary client IM'd me with a panicked message. He had discovered that users were unable to log in or register on his website – "sessions and captcha failure", as he put it – if the browser was IE6 or IE7 in "Medium High" privacy mode.

Considering that the site has been live for 5 months, it's no fun discovering this only now. Surely the VP was panicked too. How many users have we lost to this, without even knowing it?

Initially I suspected a simple error in cookie-setting logic. Maybe it was intermittent, not related to IE at all? But a little bit of Googling revealed that IE6+ explicitly rejects cookies under certain conditions, and this is proportional to the "Privacy Level" setting.

It turns out that IE6 added support for a W3C official "recommendation" called Platform for Privacy Preferences. It's a protocol allowing websites to declare their intended use of information they collect about browsing users. It was officially recommended on April 16, 2002.

Specifically, IE6/IE7 looks for the following:

"/w3c/p3p.xml" – the "policy reference" file, which points to...
The "policy file", an XML file declaring in machine-readable form how you intend to use personal data
"P3P:" HTTP header to declare a "compact policy" (summary of full policy)

When configured for "Medium High Privacy", IE6 blocks first-party cookies IFF you don't specify a compact policy, or if your compact policy says "I'm going to contact you without your consent" (spam, etc). Under "High Privacy", IE6 blocks all cookies when there's no compact policy defined.

If you want Internet Explorer to NOT reject your site's cookies, under any conditions, do the following:

First, have a human-readable policy statement on your website. Or at least figure out roughly what you would say, if you had one.
Use a P3P policy generator to translate your plain English statement into the P3P policy language. I used the IBM one.
Ensure that your statement specifies personal contact information is opt-in. IE6 will discard your cookies otherwise.
Also make sure it passes the validator

Then save, push the "policy"/"policy reference" files to /w3c on your webserver. Also tweak your server config to return a "P3P:" header with your generated "compact policy" ("CP") string

I'm glad I learned this, but P3P doesn't seem to accomplish much in the way of protecting users' privacy. It mainly seems like a hassle for legit web developers, and a speed-bump for real web criminals. Really, if a website wanted to screw with IE users, they'd just send 'em a trojan/virus and be done with it.

PS: Interestingly... Yahoo! returns a P3P header and has a full policy defined. Google, MySpace, and YouTube have neither the "P3P" header nor "/w3c/p3p.xml" policies on their sites. "curl -I http://www.yahoo.com/" to see for yourself.