February 2008 Archives

My introduction to P3P was purely out of need. I maintain a website where we were using Google Analytics to count our users but we noticed that a disproportionate number of Firefox users were being reported. Further inspection revealed that visits from over half of our Internet Explorer users were not being recorded.

This web site appeared within an iframe on a different domain than the frame parent, and we noticed that the Google Analytics cookies were not being set in the default Internet Explorer environment with a medium privacy setting. A privacy icon also appeared in Internet Explorer's status bar, indicating that site cookies have been blocked.

Why does this cross-domain cookie issue only manifest itself in Internet Explorer 6 and Internet Explorer 7?

It turns out that Firefox and Internet Explorer have different definitions for "third-party" cookies. In IE, a cookie is considered to be "third-party" if the cookie's domain differs from the domain shown in the address bar (even if the domain of the cookie is the same as the domain of the page that is setting the cookie.) In Firefox, a cookie is considered to be "third-party" if the domain of the cookie is different than the domain of the page that is setting the cookie, (regardless of the address that appears in the location bar.)

Here is a summary of what you need to do in order to allow third-party cookies to be set in IE:

1. Create a human-readable privacy policy for your web site (i.e. in HTML)


2. Translate the human-language privacy policy into an XML document using IBM's P3P Policy Editor (considered to be the best free tool available.)


3. IBM's P3P Policy Editor will also generate a P3P compact policy for you.


4. Emit a compact policy and a reference to the full privacy policy in the HTTP header of your web page


5. Place your policy reference XML file (p3p.xml) and policy XML file (policy.xml) in the well-known location set forth by the P3P standard (/w3c/p3p.xml and /w3c/policy.xml)


6. If your privacy policy is satisfactory, your web page will be permitted to set cookies. This MSDN article contains a table of things that will make your privacy policy unsatisfactory.

Although the P3P standard specifies that only the XML policy files in the well-known location and human-readable privacy policy are necessary and sufficient, IE6 doesn't work that way. IE6 only honours the compact policy (and ignores every other implementation method.) IE7 behaves as expected.

Now that we've discussed the solution, we can go on to explain why P3P was created. P3P Toolbox has a lengthy discussion about the need for P3P. The main idea behind P3P is that it is burdensome and unreasonable for the average web user to hunt down the privacy policy for every site that they directly interact with, let alone the sites that they unknowingly interact with (like those displayed in iframes.) Regular people just don't do this. P3P was created to standardize the discovery of privacy policies from site to site.

P3P does not enforce that site owners adhere to their own privacy policies, it merely automates the interpretation of the legalese in which most privacy policies are written. The enforcement of privacy laws is left to the judicial system.

I asked a MySpace developer why a few particular links on their site were javascript onclick events applied to a span tag, rather than anchor tags.

He said it was because the product specifications required those links not to be underlined.

*headdesk*

This explains a lot.

A couple of weeks ago I attended the Silicon Valley Girl Geek Dinner at Google. I've been curious about Women 2.0 and what they were about since I was supposedly in their target demographic. The event left me feeling disappointed because it felt more like a pep rally than a professional development event. Beyond all the slick marketing and corporate sponsorship, there was little substance.

This conversation I overheard at the conclusion of the discussion panel summed it up best:

Girl: Oh honey, this event was so empowering!

Girl's boyfriend: As long as it was empowering for you, dear...

I agreed with her boyfriend. The event wasn't particularly empowering.

Today, I received an invitation to participate in the second OpenSocial Hackathon.

One particular mandatory field on the registration form caught my attention (mostly because it wouldn't let me proceed without submitting an answer for it.)

My first reaction was, "I am a designer and developer who happens to be female, but I don't see what difference that makes, and why this question is mandatory. Are these people sexist?"

This question makes it sound like they're willing to lower the bar to accommodate women, which makes me feel insulted. I understand that they're trying to encourage more females to come out and participate, but the messaging isn't particularly empowering.

To quote Mike:

By trying to compensate for the historical mistreatment of a group you isolate it and reinforce the definition of the differences between that group and the rest of the world

I love Flickr and I use it to back up all of my photos. With today's announcement of Microsoft's offer to buy Yahoo for $44.6 billion, I can't help but wonder what the fate of my vast photo collection may be.

If the acquisition goes through, some of Yahoo's services will inevitably get shut down or merged into MSN's similar offerings. Microsoft doesn't have an existing product that is as cool or popular as Flickr yet, but I don't think Flickr is a particularly profitable operation.

I'm not the only one who is concerned about the future of Flickr:
Latest FlickrCentral discussion thread
Wired article about Flickr and Microsoft's acquisition of Yahoo!
Flickr pool by concerned Flickr users

What are your favourite Yahoo! products and which ones are you most concerned about?