Recently in cookies Category
February 21, 2008
My introduction to P3P was purely out of need. I maintain a website where we were using Google Analytics to count our users but we noticed that a disproportionate number of Firefox users were being reported. Further inspection revealed that visits from over half of our Internet Explorer users were not being recorded.
This web site appeared within an iframe on a different domain than the frame parent, and we noticed that the Google Analytics cookies were not being set in the default Internet Explorer environment with a medium privacy setting. A privacy icon also appeared in Internet Explorer's status bar, indicating that site cookies have been blocked.
Why does this cross-domain cookie issue only manifest itself in Internet Explorer 6 and Internet Explorer 7?
It turns out that Firefox and Internet Explorer have different definitions for "third-party" cookies. In IE, a cookie is considered to be "third-party" if the cookie's domain differs from the domain shown in the address bar (even if the domain of the cookie is the same as the domain of the page that is setting the cookie.) In Firefox, a cookie is considered to be "third-party" if the domain of the cookie is different than the domain of the page that is setting the cookie, (regardless of the address that appears in the location bar.)
Here is a summary of what you need to do in order to allow third-party cookies to be set in IE:
- IBM's P3P Policy Editor will also generate a P3P compact policy for you.
- Place your policy reference XML file (p3p.xml) and policy XML file (policy.xml) in the well-known location set forth by the P3P standard (/w3c/p3p.xml and /w3c/policy.xml)
P3P does not enforce that site owners adhere to their own privacy policies, it merely automates the interpretation of the legalese in which most privacy policies are written. The enforcement of privacy laws is left to the judicial system.