- From: Rigo Wenning <rigo@w3.org>
- Date: Mon, 8 Apr 2002 12:46:51 +0200
- To: beheer <beheer@willywortel.nl>
- Cc: www-p3p-dev@w3c.org
On Fri, Apr 05, 2002 at 07:05:27PM +0200, beheer wrote: > Hi, > > >In order to prevent IE6 from blocking third-party cookies you > >must have a "satisfactory" P3P compact policy in the > >same HTTP response that contains the set-cookie headers. > > Right. So what any third party cookiebakery could do now is send an > "innocent" header like P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP > IND DEM" and their cookies will be accepted no matter what the privacy > settings. The relevance of this possibility should be discussed in > some other forum I guess, but from a technical point of view it > seems a bit fluffy to me. If someone is a third party cookiebakery and send's an "innocent" header and the announced practice does not correspond to the followed practice, the statement is wrong. This might encounter all sorts of sanctions, especially in a european context. Also note, that in the disputes-element, there is space for "assurance parties" like label-programs and data commissioners. In this context, there might be also consequences in the relation to the assurance party or the data commissioner, if the header made up is not corresponding to the real practice. > > In the mean time it still seems strange that if a MSIE 6 user decides > to accept all cookies from a certain domain the browser does not seem > to adjust it's privacy settings. That too is a concern for some other > list - and for some other company -, I guess. This might be a bug, so report it to Microsoft. I don't see too much space for conspiracy-theories here. Best, -- Rigo Wenning W3C/INRIA Policy Analyst Privacy Activity Lead mail:rigo@w3.org 2004, Routes des Lucioles http://www.w3.org/ F-06902 Sophia Antipolis
Received on Monday, 8 April 2002 06:53:45 UTC