A Quick Look at P3P

  • Article

Internet Explorer supports a cookie-restricting privacy feature called P3P. Web developers often get tripped up by it because no other browser implements the P3P standard.

I’ve written about IE’s cookie control features previously (and more comprehensively), but here’s a summary of the “least you need to know.”

P3P Made Simple

By default, IE will reject cookies coming from 3rd-party contexts. A 3rd-party context is one where the domain on the content is different than the domain of the page that pulls in that content. Possible third-party contexts include pretty much any element that accepts a URL: <script>, <img>, <link>, <frame>, <iframe>, <audio>,<video>, et cetera. It also includes cross-domain XmlHttpRequests which attempt to send cookies when the withCredentials flag is set.

For instance, consider a webpage with a subframe, like this:

image

The 1st-Party Context is domain1.com and the 3rd-Party Context is domain2.com. By default, if the HTML content in the IFRAME tries to set a cookie, it will fail to do so. IE will behave as if the cookie from domain2.com doesn’t exist.

Unfortunately, IE’s F12 Developer Tools won’t show a warning when this happens. In older versions of IE, you’d see a little “eye” icon in the IE status bar, but that was removed in IE9. Today, to see that a cookie has been rejected, you have to click View > Web Page Privacy Policy.

image

That command will show you a summary of what happened to cookies during the loading of the page. For instance, loading this blog post yields the following:

image

Declare Your Policy

To get IE to accept cookies from your server in a 3rd-party context (or to get IE to resend a previously-set cookie to your server when it is accessed in a 3rd-party context), you must declare the privacy policy that governs how your cookies will be used. That declaration takes the form of a P3P header on the HTTP response (or, less commonly, a META tag with the same content).

For instance, this blog sends the following:

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

Each token in the Compact Policy (CP) attribute has a particular meaning that explains in a machine-readable way how the cookie will be used. Fiddler’s Cookies Response Inspector breaks down the policy into English (well… legalese, at least :-)

image

Upon receiving a cookie, IE will automatically the cookie’s privacy policy to the user’s configured preferences when deciding whether or not to accept, restrict, or block the cookie.

The P3P statement must be provided by the 3rd party content. In our example:

image 

…when the subframe tries to set a cookie, IE only considers the P3P statement from domain2.com. Adding a P3P statement to domain1.com will NOT change the cookie handling for the subframe.

A P3P statement is a legal declaration of how your cookie will be used. You shouldn’t just throw “whatever works” into a P3P header, or you might find yourself in violation of national privacy laws and/or subject to civil lawsuits.

Can’t Get Enough?

There’s tons more to learn about P3P (see this and this) but here are a few quick notes:

  1. P3P is only evaluated for certain security zones (Internet and maybe Trusted)
  2. Users can reconfigure their P3P controls to be more or less restrictive
  3. Beyond accepting or blocking cookies, P3P can also leash (cookie will only be sent in a 1st party context) or downgrade (persistent cookie will be converted into a session cookie and discarded at the end of the session)
  4. For April Fools Day in 2011, I jokingly proposed an evolution of P3P called P5P.

 

-EricLaw
MVP – Internet Explorer

Update: P3P is currently non-functional in the current Windows 10 preview build; although all of the UI remains present, it has no effect. No announcement has been made about the future of P3P.