W3C home > Mailing lists > Public > www-p3p-dev@w3.org > April 2002

Re: no cookies at 3rd party

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 8 Apr 2002 12:46:51 +0200
To: beheer <beheer@willywortel.nl>
Cc: www-p3p-dev@w3c.org
Message-ID: <20020408104651.GJ1113@localhost>
On Fri, Apr 05, 2002 at 07:05:27PM +0200, beheer wrote:
> Hi,
> 
> >In order to prevent IE6 from blocking third-party cookies you
> >must have a "satisfactory" P3P compact policy in the
> >same HTTP response that contains the set-cookie headers.
> 
> Right. So what any third party cookiebakery could do now is send an
> "innocent" header like P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP
> IND DEM" and their cookies will be accepted no matter what the privacy
> settings.  The relevance of this possibility should be discussed in
> some other forum I guess, but from a technical point of view it
> seems a bit fluffy to me.

If someone is a third party cookiebakery and send's an "innocent" header
and the announced practice does not correspond to the followed practice,
the statement is wrong. 

This might encounter all sorts of sanctions, especially in a european
context. 

Also note, that in the disputes-element, there is space for "assurance
parties" like label-programs and data commissioners. In this context, 
there might be also consequences in the relation to the assurance party 
or the data commissioner, if the header made up is not corresponding to
the real practice.

> 
> In the mean time it still seems strange that if a MSIE 6 user decides
> to accept all cookies from a certain domain the browser does not seem
> to adjust it's privacy settings. That too is a concern for some other
> list - and for some other company -, I guess.

This might be a bug, so report it to Microsoft. I don't see too much
space for conspiracy-theories here.

Best,
-- 
Rigo Wenning            W3C/INRIA
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis
Received on Monday, 8 April 2002 06:53:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 18 June 2010 00:12:47 GMT