Fog Creek Software
Discussion Board




IE 6 Privacy default to "Medium"

Has anyone else noticed that IE 6 defaults a Privacy setting to Medium which, among other things, blocks "third party-cookies" whose server doesn't provide a Compact Privacy Policy (read: all servers)? I'm surprised there hasn't been more discussion on this. Are people not upgrading to 6.0?

The issue is straight-forward and well-known: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299331

The most egregious problem is the silly frame that Hotmail continues to open links into. If the destination requires cookies, IE6 users most likely won't be able to use it.

pb
Friday, April 26, 2002

I set up one of the sites that I built to have a compact policy, so that it would be P3P friendly. It took 15 minutes using IBM's P3P policy editor (search for it on google) to generate the compact policy (and the verbose policy).

Once the compact policy was generated, it only took me about a minute and a half to add it to every page in the site (using the header() function in PHP).

Of course, the only reason I bothered is because I knew that about 75% of the site's audience was using IE6 (from a university campus).

Benji Smith
Monday, April 29, 2002

For those to lazy to look for it, IBM's P3P Policy Editor is at: http://www.alphaworks.ibm.com/tech/p3peditor

Read (like you always do...) the license agreement before agreeing to it. The license isn't too bad (as they go), but you can only use the editor for 90 days.

Jeff Pleimling
Wednesday, May 01, 2002

Well, it's going to take much longer than 16.5 minutes for the average webmaster to implement a CPP.

I was more interested in why there hasn't been more discussion about this topic considering that it is likely breaking scores of sites and services. Literally every site IE6 users access through a Hotmail message will be prevented from delivering a cookie.

pb
Wednesday, May 01, 2002

Actually, it isn't quite as big a deal as it may seem at first glance. If you read through all of the boring stuff at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpriv/html/ie6privacyfeature.asp you'll see that the MEDIUM setting is not terribly restrictive.

Let's say you've got a website with no compact policy. Someone visits your site and you set a cookie. You can set a persistent cookie or a session cookie. If you set a session cookie, no problem. Everything is normal.

If you set a persistent cookie, IE6 leashes the cookie, meaning that your site can retrieve the value of that cookie as long as you retrieve that cookie from the first-party context. If you try to retrieve the cookie from a third-party context, IE6 will refuse. (An example of 3rd party context is when you have a banner ad for your site, hosted on your domain, that is placed into a page under a different domain using an IFRAME tag).

Even without a compact policy, session cookies can be set and retrieved through the 3rd party context. Just don't try to set and retrieve persistent 3rd party cookies. It won't work.

So, all in all, IE6 functionality really has little effect on the average website. When I build a site, I can still use cookies to create the shopping cart or to make user-specific customizations or to track data about site navigation.

Now, your banner-ad companies are a different story altogether. This functionality has a huge impact on companies like DoubleClick. Normally, double click places and retrieves cookies from the 3rd party context for every ad they serve to every user.

Of course, IE6 won't prevent them from serving ads. It just prevents them from serving _targeted ads_. And eventually they'll figure out how to work around the system.

Net effect of IE6 privacy settings: nearly zero.

On a separate but somewhat related note, the biggest security problem that I know of is IE-WMP Super Cookies. If you don't know what I'm talking about, read here: http://www.computerbytesman.com/privacy/supercookie.htm

Benji Smith
Thursday, May 02, 2002

I think it's actually quite a bit worse of an issue than even I've suggested.

Per the Microsoft link you provide, session cookies are treated exactly like persistent cookies.

If your site requires cookies to function and you send a link to it to a Hotmail user, that person will *not* be able to use your site after clicking on the link Hotmail.

I've also run into numerous sites who have, say, nav being served by one server in the left hand frame and content served by another computer in the right frame that just plain don't work for IE6 users. When I contact them about it, they are totally oblivious to the issue.

As IE6 becomes more and more prevalent, this is going to become a bigger and bigger problem because the vast majority of webmasters are completely clueless about it and fixing it is non-trivial. And, users are notorious for chalking something like this up as just another unexplained computer quirk.

pb
Thursday, May 02, 2002

*  Recent Topics

*  Fog Creek Home