RE: P3P/IE6 and cookies

This site contains information about the IE 6 public preview
implementation:
http://msdn.microsoft.com/workshop/security/privacy/ie6privacyfeature.as
p

GH

-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org] 
Sent: Tuesday, May 15, 2001 9:40 AM
To: Neil Durrant
Cc: www-p3p-policy
Subject: Re: P3P/IE6 and cookies


On Mon, May 14, 2001 at 02:57:22PM -0400, Neil Durrant wrote:
> Hi,
> 
> I wonder if anyone on this list can offer a little assistance?

That's what this list and www-p3p-dev@w3.org are for. Please see also
the archives[0].
> 
> I'm trying to get to grips with IE6 implementation of The Platform for

> Privacy Preferences Project and it's handling of cookies.
> 
> I've spent ages looking through relevant documentation and keep coming

> up with conflicting data or information that I'm unsure can be deemed 
> as 100% reliable but..

From all I heard, IE6 implements the compact policies as defined by the
P3P Specification[1]. So it should be clear, what IE6 does. If IE6 is
behaving differently, it would be great, if you would report this back
to the this list (or www-p3p-dev@w3.org).

> 
> I believe IE6 is compliant with The Platform for Privacy Preferences 
> Project (P3P) - http://www.w3.org/P3P/

As said, the privacy features claim to be an implementation of the
compact policies. 
> 
> The most worrying comment I have seen is that -
> 
> "If a site doesn't put up a compliant privacy policy at the site, P3P 
> complaint browsers (such as IE6) will automatically refuse cookies 
> from them unless the surfer changes the default settings for IE6 - an 
> unlikely proposition."
> 
> Unsure if this statement is 100% accurate and I really needed to 
> ascertain if this is the case?

I think, they refer to the safe-zone behaviour as described in the P3P
Specification. If a P3P-Client does not find a P3P-Policy or if there is
a mismatch to the preferences, the client should remain in the
"safe-zone" - state and not send out unnecessary data. (e.g. referer,
cookies etc)

What you are concerned about are the default preferences. The P3P
Specification requires, that a user agent has to openly document a
mecanism to import preferences (or use APPEL-Language[2]).

I assume from your mailaddress, you're asking yourself
the question from a UK-perspective. The UK has implemented the European
Data Protection Directive. If you follow those rules and express them in
the compact policies, I would be surprised to find a cookie blocked. 

Perhaps, you should contact your data protection authority to help you
implementing P3P on your site.

If you look for further information on how to implement P3P compact
policies on your Web-Server, please have a look at the Server
Implementation Guide[3] written by Martin Presler-Marshal from IBM.

To write a policy, it might help you to use the P3P Policy Editor[4]

Best, 


Rigo Wenning            W3C/INRIA
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
+33 (0)6 73 84 87 31    F-06902 Sophia Antipolis
http://www.w3.org/

> 
> Can anyone throw anymore light on this?
> 
> Neil Durrant
> www.AffiliateMarketing.co.uk

  0. http://lists.w3.org/Archives/Public/www-p3p-policy/
  1. http://www.w3.org/TR/P3P/#compact_policies
  2. http://www.w3.org/TR/P3P-preferences
  3. http://www.w3.org/TR/p3pdeployment
  4. http://www.alphaworks.ibm.com/tech/p3peditor

Received on Tuesday, 15 May 2001 13:23:51 UTC