Strict P3P Validation

Internet Explorer offers users many tools to help protect their privacy, including InPrivate Browsing, cookie controls (including P3P), and Tracking Protection Lists. In February of 2012, the IE team described how a misleading P3P statement was being used to circumvent users’ privacy settings.

Default P3P Restrictions

Internet Explorer’s default settings restrict the use of 3rd party cookies that can be used to track visitors across multiple unrelated sites, as described in the UI text on the Privacy tab:

clip_image001

Users may easily adjust the slider to configure the browser with a more or less restrictive policy, or even specify much more granular restrictions using a P3P XML file, as described in my earlier post.

Circumvention

Unfortunately, a small number of websites (like YouTube and Facebook) circumvent P3P settings by sending a P3P statement that consists of only undefined tokens, like this one:

P3P: CP="This is not a P3P policy! See //support.google.com/accounts/bin/answer.py?answer=151657&hl=en-US for more info."

Browsers compliant with P3P interpret this policy as indicating that associated cookies won’t be used for any tracking purpose (or any purpose at all, since all tokens are undefined). By sending this text, the site bypasses P3P restrictions and enables its cookies to be stored and sent back to its servers when you visit any other site that embeds content (e.g. a “Like” button or an advertisement) from the original site.

The fact that a site can circumvent P3P via technical deception was well-understood even as the P3P standard was being authored. In his 1999 book, Weaving the Web, Sir Tim Berners-Lee observed:

Of course, any privacy negotiation is only as trustworthy as the site’s proprietor. However, if a company has, through its Web server, made an undertaking to preserve privacy, and broken that undertaking, then it has acted fraudulently. There are conventional laws to deal with this transgression. Software can't solve this problem. And it should not be up to the consortium or any other technical body to solve it. (page 148)

While his remarks remain relevant today, IE10 and IE11 expose an option to more skeptically scrutinize a site’s P3P declaration, rejecting any policy containing undefined tokens. An Enable Strict P3P Validation checkbox can be found in the Security section of the Advanced tab in the Internet Options control panel.

clip_image002

When this option is enabled, any P3P Compact Policy declaration will be rejected if it contains any invalid tokens. As a consequence, any accompanying cookies will Denied when set from a 3rd party context, and Leashed or Downgraded if set from a 1st party context.

Try It Out

You can try out this behavior using a simple test page. In Internet Explorer’s default privacy configuration (Medium slider setting, non-Strict validation), Internet Explorer blocks the first two 3rd party cookies, since both were sent with no P3P information at all. The browser accepts the next two 3rd party cookies because their P3P statement promises that the cookies aren’t used for tracking. However, the browser in its default configuration also accepts the final two 3rd party cookies, which were set with a P3P statement that contains undefined tokens:

clip_image003

After opting-in to Strict P3P Validation, IE rejects any 3rd party cookies that were set with a bogus P3P declaration:

clip_image004

Guidance

Web Developers
Please ensure that when setting cookies, your site expresses its privacy practices using P3P. You can use the IE Developer Tools’ F12 Network tab to view individual responses’ P3P headers, or you can add P3P/Cookie information to the default display in Fiddler:

image

You should work with your site’s legal team or Chief Privacy Officer to ensure that your P3P declaration properly represents your use of any data associated with the cookie.

Users
Enable the new Strict P3P Validation option to prevent sites from providing certain types of misleading privacy statements. You may also explicitly block or allow any site’s ability to set cookies using the Internet Options control panel’s Privacy tab, and you can use a Tracking Protection List to block requests to sites whose privacy practices do not meet your expectations.

Comparison to Other Browsers

Today, no other mainstream browser supports P3P. The Safari browser claims to reject 3rd-party cookies, and Firefox has an active workitem which was originally designed to match Safari's behavior (more complex now). However, it is important to recognize that the blocking in Safari (and that was planned for Firefox) blocks only setting of cookies from a 3rd party context and does not block sending of cookies to a third party context. This means that you're protected from trackers hosted on sites you'd never directly visit (e.g. an advertising network) but not from trackers on sites you do visit directly (e.g. a social network).

In Safari, cookies from any site you directly visit (e.g. YouTube, Facebook, etc) are returned to those sites anytime their content is embedded in any other site. This transmission of cookies to a 3rd party context is the mechanism by which your social network advertises to you products that you've recently looked at on shopping sites that had embedded "like" buttons from the social network, even if you use a browser that claims to block 3rd party cookies. Such tracking is blocked today in IE10+ when the Strict P3P Validation option is enabled.

-Eric Lawrence
2013 MVP – Internet Explorer