Joel's Privacy Preferences Project (P3P) Help Page


Purpose

The purpose of this page is to provide help for webmasters and other engineers in dealing with P3P and IE6.

Background

With the release of IE6 microsoft has tried to increase control of users over what cookies are dropped, Unfortunately their default settings have broken lots and lots of web sites around the world. The problem with the default IE6 settings is flawed in several ways:
  1. The setting assumes a wide adoption of P3P, at this point, almost no one is using P3P. A sampling of the larges financial sites shows that less than 1 in 10 have some P3P support, and the ones that attempted P3P support mostly do not pass the P3P validation process.
  2. The setting makes a false distinction of what Microsoft calls 3rd parties. It designates 3rd parties as any reference to a different domain. So for instance if company A resells company B's product via a html frame (a common practice), IE 6 thinks of company B as a 3rd party and will reject all of its cookies (including session cookies) unless company B has a satisfactory privacy policy.
  3. The IE6 browser accepts or rejects cookies without giving any reason to the end user of the browser. This makes it difficult for companies to test their P3P policies since IE6 doesnt report why or why not a cookies is accepted/rejected. This also gives end users a problem because they are seeing cookies rejected and might falsely assume that its due to a malicious site, when in reality its only because the site hasn't kept up with Microsoft's forced standards.

Links

P3P Homepage at W3C
Description of the Platform for Privacy Preferences (P3P) Project
P3P Validator
P3P Spec at W3C
IBM P3P Editor
IE P3P Info

What to Do (implementing p3p)

  1. I would suggest downloading IBM's P3P editor, its a very useful tool and can help you get started quickly.
  2. You will also need to figure out how to do a compact policy for your

Gotchas

  1. Read everything and use the policy tool and implement both the full policy and the compact policy. Microsoft says all that is needed is the compact policy, but this is not true, you need to implement everything
  2. If you use the IBM tool, in order to get the "here" link in the IE summary window to work, you will need to specify the policy name in the p3p.xml link to the policy For example:
    inside p3p.xml
    -> POLICY-REF about="/w3c/mypolicy.xml#policyname"
    inside policy:
    -> POLICY
    discuri="http://www.yoursite.com"
    opturi="http://www.yoursite.com"
    name="policyname"
  3. Make sure you don't have what Microsoft calls Unsatisfactory Cookies
  4. Legacy cookies, if the cookie existed before the user upgraded to ie6, microsoft will leash the cookie, this can be even worse than if you have a valid 3rd party cookie, see this link for details