Category — security

Initially I thought P3P policies might be quite useful. A nice way to see how a site promises to use my data and I could even configure my browser to treat my privacy settings accordingly.

It was a nice thought at least. Unfortunately the reality is somewhat different. The only browser that seems to even support P3P privacy policies is Internet Explorer. When I say “support”, what I actually mean is, make a complete hash of.

It appears that if you want to use cookies on a third party domain, in an iframe or a image tag for instance, in IE you need to have a P3P policy defined.

Okay, no problem we’ll set ours up. Unfortunately the site I was working on has terms and conditions that state that they can use users data for pretty much anything. Initially IE didn’t appear to have a problem with the policy stating this. The third party cookies worked a treat, but for some insane reason Microsoft in their wisdom decided to turn all first party cookies into session cookies. Which meant the whole system wouldn’t function.

This ain’t news‘ lead developer Mark discovered that Facebook are using a very strange P3P policy, that only contained “CP=HONK”. As we could find no reference to this anywhere we discovered through trial and error that you can put any gibberish in, and IE lets all first party and third party cookies work fine!

So in essence, the only browser that supports P3P policies is IE, and to get round them just put in some Lorem Ipsum. Now that’s a security model.