Joel's Privacy Preferences Project (P3P) Help Page
The purpose of this page is to provide help for webmasters and other engineers in dealing with P3P and IE6.
With the release of IE6 microsoft has tried to increase control of users over what cookies are dropped,
Unfortunately their default settings have broken lots and lots of web sites around the world.
The problem with the default IE6 settings is flawed in several ways:
- The setting assumes a wide adoption of P3P, at this point, almost no one is using P3P. A sampling of the
larges financial sites shows that less than 1 in 10 have some P3P support, and the ones that attempted P3P support mostly do not pass the P3P validation process.
- The setting makes a false distinction of what Microsoft calls 3rd parties. It designates 3rd parties as any reference
to a different domain. So for instance if company A resells company B's product via a html frame (a common practice), IE 6
thinks of company B as a 3rd party and will reject all of its cookies (including session cookies) unless company B has a
- The IE6 browser accepts or rejects cookies without giving any reason to the end user of the browser. This makes it difficult for companies to test their
P3P policies since IE6 doesnt report why or why not a cookies is accepted/rejected. This also gives end users a problem because
they are seeing cookies rejected and might falsely assume that its due to a malicious site, when in reality its only because the site hasn't kept up with Microsoft's
P3P Homepage at W3C
Description of the Platform for Privacy Preferences (P3P) Project
P3P Spec at W3C
IBM P3P Editor
IE P3P Info
What to Do (implementing p3p)
- I would suggest downloading IBM's P3P editor, its a very useful tool and can help you get started quickly.
- You will also need to figure out how to do a compact policy for your
- Netscape/Iplanet- Peter has written some excellent NSAPI c source to help you write a plugin to drop P3P compact policies, see NSAPI Source (choose nes-managers/October 2001 and look for discussion of P3P)
- Apache - Perl module to help you with P3P (I haven't used it) see Apache P3P
- IIS - should have built in ui, see your console
- Read everything and use the policy tool and implement both the full policy and the compact policy. Microsoft says all that is needed
is the compact policy, but this is not true, you need to implement everything
- If you use the IBM tool, in order to get the "here" link in the IE summary window to work, you will need to specify the policy name in the p3p.xml link to the policy
-> POLICY-REF about="/w3c/mypolicy.xml#policyname"
- Make sure you don't have what Microsoft calls Unsatisfactory Cookies
- Legacy cookies, if the cookie existed before the user upgraded to ie6, microsoft will leash the cookie, this can be even worse
than if you have a valid 3rd party cookie, see this link for details