- From: Keith Ball <KBall@ecolor.com>
- Date: Thu, 20 Sep 2001 15:13:06 -0700
- To: "'P3P policy '" <www-p3p-policy@w3.org>
We have also implemented P3P in a 3rd party context. It mostly works. The problems we have had to deal with is in the are that microsoft calls "legacy cookies". These are cookies that existed before IE 6 was installed. So, the user received a cookie from a site with an earlier version of IE and the cookie does not have a P3P policy associated with it. Microsoft made some very short sighted (IMHO) decisions on how to handle these legacy cookies, preventing those cookies from being used ever in 3rd party context. Our compact policy would allow a newly set cookie to be saved, but the same cookie if a legacy has no way of being upgraded. In addition, IE 6 indicates a "blocked" cookie by displaying the privacy problem icon in the status bar (but no information in the privacy report dialog) when it tries to use this "legacy" cookie in a 3rd party context. However, with our software, the legacy cookie is overwritten with a new and "satisfactory" cookie. So, the icon isnt displayed in subsequent acesses to the 3rd party site. However, in our case, the old cookie value is lost and cannot be recreated causing the user to lose information they created. You can see the E-Color compact policy and find our P3P policy reference and policy file by going to our company site home page with IE6 (www.ecolor.com). Our 3rd party domain is trueinternetcolor.com. Our compact policy is: NOI DSP CUR ADM DEV OUR IND UNI COM NAV INT I feel the problem is two fold. First, Microsoft took an expedient short cut to limit the work they had to do to deal with "legacy" cookies. More importantly, the P3P spec does not effectively address the issue of the status of "legacy" cookies. Specifically, how a user agent should handle upgrading the status of these legacy cookies. Microsoft's proposed work-around for this legacy cookie problem is to force the end-user to make a 1st party request to a server in the domain where the 3rd party request is targeted. They allow legacy cookies to be returned unqualified to these 1st party requests. However, not all applications have the ability to get a first party request. They gave me no solution to the other problem. good luck. keith ---- Keith Ball E-Color, Inc. -----Original Message----- From: Laurel Jamtgaard To: P3P policy Sent: 9/20/01 2:04 PM Subject: RE: what cp will satisfy IE 6? Ken Martin [mailto:ken@kpmartin.com] wrote: >My first (quite recent) post here asked if anyone is successfully using >cookies in IE6 in a third-party context. I didn't get a response yet. >Specifically, I'm using .domain.com cookies. [snip] >Ken Martin Ken and others, We have implemented P3P in a third-party context. It took some fiddling but it seems to be working OK with IE 6. This is our compact policy: CP="NOI LAW NID BUS CUSo PSAo PSDo TAIo OUR OTR COM DEM NAV PRE STA PUR INT NAV" Regards, Laurel Chief Privacy Officer and General Counsel Angara E-Commerce Services, Inc. www.angara.com
Received on Thursday, 20 September 2001 18:10:39 UTC