P3P Policy not working to allow 3rd party cookies in IE

Asked 10/11, 2009 at 11:6 Answered 17/2, 2013 at 21:13

Thanks in advance for helping a first-time poster. I've been banging my head on the wall all day...

I have a site that must be able to function and set cookies while running inside a frame. In IE, with default security settings, this is a problem, because a framed site's cookies are treated as third party. Now, I've read all the info on P3P, and I've created a compact privacy policy, served via HTTP header, an XML policy file, and an XML reference file. I have checked, and the header is being sent properly, and IE can read the policy file.

However, it is STILL blocking cookies from the site. I've created a stripped-down example here: http://www.hankshelper.com/privtest.php Note that cookies in the framed site are being blocked by IE (6, 7, and 8).

If anyone could check out my compact policy

Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR NID DEVi OUR BUS INT\""

and/or XML policy http://www.searchtempest.com/w3c/searchtempest.xml

and let me know wtf, I would be eternally grateful. I've stripped them down as much as possible, and I just can't see anything that IE would have a problem with. (And of course IE itself is wonderfully verbose as far as exactly WHY it's blocking cookies...) I'm happy to provide any additional information you need.

Harrumph answered 10/11, 2009 at 11:6 Comment(2)

Additional info: it appears that cookies are not blocked for some users of IE8. For others they are. So far it appears to be blocking cookies for all users of IE7, but my sample size is small. – Harrumph 10/11, 2009 at 22:18

did you managed solving this issue? Thanks – Montemayor 3/11, 2011 at 17:53

I'm not certain what part of our original compact policy was being rejected, but I was finally able to solve this problem with the help of couple other resources.

From here: http://www.marco.org/2007/04/27/p3p-sucks-how-to-get-frame-cookies-unblocked-in-ie6

This is approximately the minimum HTTP header needed, and it basically says “We’re not collecting any of your personal data”:

P3P: CP=”NID DSP ALL COR”

If you actually store some data, such as email addresses and login cookies, this (also working) policy may be more correct:

P3P: CP=”ALL ADM DEV PSAi COM OUR OTRo STP IND ONL”

The policy we ended up using was

ALL ADM DEV PSAo COM OUR OTRo IND ONL

Descriptions of all the compact policy parameters can be found here: http://www.p3pwriter.com/LRN_111.asp

Harrumph answered 17/2, 2013 at 21:13 Comment(0)

The policy checker at http://www.webentrust.com/p3p.html says Error: No P3P Policy Found

You are saying, in the p3p header, this:

P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR NID DEVi OUR BUS INT"

meaning "I have this compact policy (CP), and also this full policy: /w3c/p3p.xml". BUT, http://www.hankshelper.com/w3c/p3p.xml (referenced above) gives a 404 Not Found error. You have to create your p3p policy - e.g. using the IBM P3P Editor and upload it to the path you specified.

Yul answered 10/11, 2009 at 11:43 Comment(3)

The header and policy file need to be set for the third party (ie the framed site), not the parent site. You can find the policy reference file at searchtempest.com/w3c/p3p.xml and the policy file at searchtempest.com/w3c/searchtempest.xml – Harrumph 10/11, 2009 at 22:14

When I visit the policy checker you mentioned (webentrust.com/p3p.html) and give it the url of my privacy policy (hh.searchtempest.com/w3c/searchtempest.xml) it seems to work fine. Also, thanks for the IBM link - I did use that tool to generate the policy originally. – Harrumph 10/11, 2009 at 22:22

Ah, silly me. You are right, the P3P policy has to be set for the site inside the IFRAME. – Yul 11/11, 2009 at 8:57