W3C home > Mailing lists > Public > www-p3p-policy@w3.org > May 2008

RE: Third-party cookies working, sort of

From: Henning Michael Møller Just <henning.just@datagraf.dk>
Date: Thu, 22 May 2008 09:15:59 +0200
Message-ID: <6FCFBF661492E64485174BEB2C082C150277D70F@hermod.datagraf.dk>
To: "Lorrie Faith Cranor" <lorrie@cs.cmu.edu>
Cc: <www-p3p-policy@w3.org>

Thank you for answering my message. I have some trouble understanding some of the details so I'm sending this followup...

>>
>> In case (A) there are no problems. This was the first site so I was  
>> happy and thought I had the situation under control :-)
>>
>> In case (B) the cookies were blocked in IE7 (and IE6). Not just my  
>> cookie but also their cookie. I didn't know about P3P before this  
>> but read up on it and finally figured out how to make a proper  
>> policy for my site. When my cookie still didn't work I figured out  
>> how to make a compact policy and added it to the header. Then the  
>> cookie worked for my site.
>
> That sounds about right.

Sorry? Do you mean case (B) or both?

>>
>> In both cases the client sites has a /w3x/p3p.xml file, but they are  
>> 1) almost identical and 2) has syntax errors in the <COOKIE- 
>> INCLUDE>. There's no P3P: header in the HTTP headers and there's no  
>> P3P compliant <link> element, so http://www.w3.org/P3P/ 
>> validator.html cannot find a valid policy reference file.
>>
> 
> This is not a syntax error. The validator gives a warning, but as long  
> as there is a valid policy reference file at /w3c/p3p.xml, there is no  
> problem.

What I meant was that the validator gives a syntax error, because the <COOKIE-INCLUDE> tag looks like this: "<COOKIE-INCLUDE>* * *</COOKIE-INCLUDE>". The rest was just information :-)

> What is happening is your site's cookie is being treated as a third- 
> party cookie from the perspective of the client sites. IE7 blocks  
> third-party cookies that don't have P3P compact policy headers. It  
> doesn't matter whether the first party-site (in this case your  
> client's site) has P3P for determining whether the third-party cookie  
> gets blocked.

Thank you. I *thought* that was how it worked but many different people have presented me with many different opinions on this =:-|

>> In case (A) I am not providing any P3P information. No reference  
>> file, no compact policy. In case (B) I am now providing the  
>> information, but before doing that it didn't work.
>>

> Hard to tell from the information you have provided.

Do you have an idea what kind of information that would be helpful? I unfortunately cannot disclose the URL's, but I should be able to find out whatever else is needed.

>> In case (A) the iframe has src set to the https:// path for my site.  
>> In case (B) the iframe has src set to the http:// path for my site  
>> (giving the user a horrible warning about viewing secure and  
>> insecure items). My site then redirects to https://
> 
> If you use https then you must make sure your P3P policy reference  
> file is also available via https

It is. But I'm still only providing it for my own site in case (B).

>> I hope I make sense with all this - and I know it works now and I  
>> ought to be happy, but I want to know why it didn't work before.  
>> Otherwise it will just become a magic potion I'll have to apply  
>> every now and then :-(
> 
> These articles may help:
> http://www.oreillynet.com/pub/a/javascript/2002/10/04/p3p.html
> http://www.oreillynet.com/pub/a/javascript/2002/11/19/p3p.html

Yes, I forgot to write that. Both articles have been very helpful. In fact, it was through those articles and their links I even found this mailing list. I believe it was through the website for the book.

Best regards
Henning Michael Møller Just
Received on Thursday, 22 May 2008 07:16:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 17 January 2012 12:13:13 GMT