Please read my blog's comment policy here.
Internet Explorer supports a cookie-restricting privacy feature called P3P. Web developers often get tripped up by it because no other browser implements the P3P standard. I’ve written about IE’s cookie control features previously (and more comprehensively), but here’s a summary of the “least you need to know.”
By default, IE will reject cookies coming from 3rd-party contexts. A 3rd-party context is one where the domain on the content is different than the domain of the page that pulls in that content. Possible third-party contexts include pretty much any element that accepts a URL: <script>, <img>, <link>, <frame>, <iframe>, <audio>,<video>, et cetera. It also includes cross-domain XmlHttpRequests which attempt to send cookies when the withCredentials flag is set.
For instance, consider a webpage with a subframe, like this:
The 1st-Party Context is domain1.com and the 3rd-Party Context is domain2.com. By default, if the HTML content in the IFRAME tries to set a cookie, it will fail to do so. IE will behave as if the cookie from domain2.com doesn’t exist.
That command will show you a summary of what happened to cookies during the loading of the page. For instance, loading this blog post yields the following:
For instance, this blog sends the following:
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Each token in the Compact Policy (CP) attribute has a particular meaning that explains in a machine-readable way how the cookie will be used. Fiddler’s Cookies Response Inspector breaks down the policy into English (well… legalese, at least :-)
The P3P statement must be provided by the 3rd party content. In our example:
…when the subframe tries to set a cookie, IE only considers the P3P statement from domain2.com. Adding a P3P statement to domain1.com will NOT change the cookie handling for the subframe.
A P3P statement is a legal declaration of how your cookie will be used. You shouldn’t just throw “whatever works” into a P3P header, or you might find yourself in violation of national privacy laws and/or subject to civil lawsuits.
There’s tons more to learn about P3P (see this and this) but here are a few quick notes:
-EricLaw MVP – Internet Explorer
"A P3P statement is a legal declaration of how your cookie will be used. You shouldn’t just throw “whatever works” into a P3P header, or you might find yourself in violation of national privacy laws and/or subject to civil lawsuits."
Yeah, I wish someone would sue Google for this. They send invalid P3P's to bypass protections in IE. Surely much worse than what they got into trouble for using a bug in Safari to bypass that browser's protections.
There is an option called "Enable Strict P3P Validation" in Internet Options\Advanced. What does it do and why is it not enabled by default?
@Whale: Great question, and it's related to Mog0's question. Google and Facebook send a P3P policy which asserts that they do nothing with the cookies they send (obviously counterfactual). I wrote about that behavior here: blogs.msdn.com/.../google-bypassing-user-privacy-settings.aspx
The "Enable Strict P3P Validation" setting causes statements with undefined tokens (like Google and Facebook) to be treated as missing. There's a test page which allows you to explore this setting here: http://webdbg.com/test/cookie/
Some resources for P3P generation are listed here: www.p3ptoolbox.org/.../resources1.shtml