Re: 3rd-party cookies not working from Lorrie Cranor on 2001-12-17 (www-p3p-policy@w3.org from December 2001)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Mon, 17 Dec 2001 09:21:35 -0500
To: <www-p3p-policy@w3.org>
Message-ID: <000d01c18706$225c1c60$3e06cf87@research.att.com>

Jess and I have been discusing this problem and
have discovered that his server is not including
the CP on every request. In particular it is not
sending the CP on requests to a URL that
contains a & character. In the process of figuring
this out, we found a bug in the W3C validator that
was causing the header checker to omit the
parts of a URL after the & character. This
has since been fixed.

Remember & is a special character that may
need to be escaped in your configuration files --
the escape code is %3F

If you want to verify that your server is really sending
the CP, use the P3P validator
http://www.w3.org/P3P/validator/
and pay attention
to the output it gives for "step 2" -- if it doesn't
say anything about a CP, your server isn't sending
the header.

Lorrie


----- Original Message -----
From: "Speicher, Kevin" <Kevin.Speicher@globeinteractive.com>
To: <www-p3p-policy@w3.org>
Cc: <jesso2000@earthlink.net>
Sent: Monday, December 17, 2001 8:19 AM
Subject: RE: 3rd-party cookies not working


> Jess:
>
>  We've noticed that some releases (non-beta) of IE 6 behave differently
than
> others with respect to our third party context cookie.
>
>  It may not be your cookie, it may be your browser that's causing your
> grief.
>
> ________________
> Kevin Speicher
> Director of News Special Projects
> Bell Globemedia Interactive
>
>
> -----Original Message-----
> From: jesso2000@earthlink.net [mailto:jesso2000@earthlink.net]
> Sent: December 14, 2001 07:34 PM
> To: www-p3p-policy@w3.org
> Subject: 3rd-party cookies not working
>
>
> Well, after literally a week of research and testing I still can't get IE6
> to read our cookies in a 3rd-party setting - it continually blocks them
> in the default medium setting. We are sending our CP in all headers,
> all the tools we've tried such as http://www.davidjonathangrant.info/p3p/
> say that everything we're doing is correct, etc. etc. but the cookies
> just can't be read in a 3rd-party setting at the default medium level.
>
> What I really don't understand is that according to IE6 there are only
> 2 circumstances in which a 3rd-party cookie will be blocked in the
> default medium setting. And I quote:
>
> Medium
>
> - Blocks third-party cookies that do not have a compact privacy policy
>
> - Blocks third-party cookies that use personally identifiable information
>    without your implicit consent.
>
> The thing that kills is that neither of these cases is true, so why would
> IE6 be blocking our cookies? We do have a compact privacy policy with
> the correct CP header being sent with all requests, and it states that we
> do not use personally identifiable information, so how the heck can IE6
> block our cookies? Is anyone successfully using 3rd-party cookies that
> actually work properly in the default medium setting? If so I would give
> my first born for the details. Is this a bug in IE6 or am I missing
> something?
>
> Thanks,
>
> Jess
>
>

Received on Monday, 17 December 2001 09:22:04 UTC