P3P and Internet Explorer


If your Web service does anything that sets cookies, you'll probably bump up against the fact that Internet Explorer--since version 6--has implemented a fairly strict privacy policy regarding cookies. In a nutshell, if the site does not have the right P3P privacy policy, first-party cookies (i.e. from the site itself) are downgraded to session cookies and not stored in between browser sessions and third party cookies (i.e. from another site) are rejected completely. Here's what to do to solve this problem.

P3P, or the Platform for Privacy Preferences is a W3C "protocol allowing websites to declare their intended use of information they collect about browsing users." In IE 6 and 7, users can use a slider bar to set their desired degree of privacy and then IE will automatically check the privacy policy of the sites they visit and "protect" them according to their preferences. The default setting (medium-high, which most people never change) gives the behavior I describe above.

Deploying a P3P policy actually isn't very hard. There are some great tools for creating the policy itself. But it can be difficult to know exactly what to do. I followed these instructions but still have a few questions, so I'll document exactly what I did below.

The first step is to create the policy. I used IBM's P3P policy editor. It's a Java program, so it will run most anywhere. Using the tool takes a little work since it's not clear at first what you're editing. Create your policy from a template if you can since that will save a lot of decisions later. Once you've done that, select Policy->Policy Properties and fill in the information about your service and organization. If you look at the errors, you see that you have to fill just about everything in. Make sure you add a "privacy seal" even if it's just a notice that your customer service department can answer questions.

The policy itself is in the "groups" on the right. Double click each one and make sure you agree with what it says. Clicking on "Errors" will show you things left undone and clicking on "HTML Policy" will show you the human readable version of what you're creating. At the bottom it provides an analysis of how this policy will play in IE. Very helpful.

When you're done and there are no errors, you need to save four things:

  1. The policy itself as name.xml where name is the name you selected under "Web Sites" in the Policy Properties pane. You will likely have just one, but you can have many covering different parts of your site.
  2. A policy reference file as p3p.xml. This file provides discovery services for the policies. Whether you have one or many policies for your site, this file tells programs which policy applies where and how to find them
  3. A human readable policy
  4. A compact policy. This is a string of three and four letter acronyms that specify the policy in a compact manner.

Put the first two in http://yoursite.com/w3c/... Put the third in whatever URL you specified the human readable policy would be referenced by.

The compact policy is used in the HTTP headers that your server returns for ant HTTP request. This gets rid of one or more round trips to the server to request the XML version of the policy. In my experience, this was a necessary step to get IE to recognize the policy.

Having Apache return the compact policy in the header requires building and installing the mod_header module. I'd already done that so I simply added this line to my HTTP configuration file:

Header append P3P "CP=\\"NOI DSP ADMo DEVo TAIo ... DEM STA\\""

Once you've got all this installed, you should be able to open IE, double click on the eyeball with the red slash through it in the status bar and confirm that your cookies are no longer blocked. If there are no blocked cookies, the eyeball is not there at all.

That's it from a technology standpoint. The trickier part is deciding whether you can actually live with the restrictions you'll need to put in place to let IE store your cookies.

The whole thing feels like a waste of time. Your product won't be better and most people won't be any more protected when your done. But you need to do it in an IE world.