P3P Trouble with Internet Explorer

Sep 11 2008 8:20 PM

Recently I've had some customers request that some third party scripts Lake Quincy Media provides avoid the evil eye of deathimage that IE6+ likes to show if such scripts even think about using cookies.  In our case, we are testing to see if the browser has Flash installed, and save the result in a cookie since it is a relatively expensive operation and we do not want to have to repeat it.  The source of this IE feature is P3P, which itself exists because of user concerns about online privacy.

The concern I have is that I'm having difficulty bypassing the IE6+ behavior even on my own sites, where I wish to share common scripts between domains.  The issue is that along with the evil eye of death, the cookies are actually blocked, which in the case of the Flash detection is a minor issue but in other situations could be more of a problem.  So I tried to find a P3P compact policy that would actually PASS IE's restrictive standards.

I came upon several posts suggesting the minimal P3P compact policy, and tried it. The exact policy is CAO PSA OUR.  However, even this did not work.  So at this point I'm still stymied and looking for the holy grail of P3P compact policies - the one that IE6+ will actually allow to write cookies without crying about it.  I"ll post if I find such a thing.

3 Comments

  • Steve Smith said

    Here's a bit more info:
    Book Extract:
    <a target="_blank" href="http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html?page=1">www.oreillynet.com/.../p3p.html</a>
    W3C Validator:
    <a target="_blank" href="http://www.w3.org/P3P/validator.html">www.w3.org/.../validator.html</a>

  • Dave Burke said

    Steve, I implemented P3P for the first time today, passing authentication in a frame from another domain. While you may already know this, the originating site page must be .ASPX, with the P3P on both endpoint pages. I am also sharing the same MACHINEKEY in each web.config.
    The following article was helpful to me.
    <a target="_blank" href="http://tinyurl.com/5y3qyt">http://tinyurl.com/5y3qyt</a>
    p.s. When will you be speaking at the Vermont .NET Users Group again???

  • karega said

    I've attempted this with IBM's privacy policy generator. I've created a compact policy and an XML file, neither worked.

Add a Comment